About Tracking Technology
- Script or code on websites/mobile apps analyzes a user’s online activity.
- Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.
- Regulated entities must ensure their tracking technologies align with HIPAA standards when the data involves PHI.
HIPAA Mandate
- Require a log in to access the webpage such as a patient or health plan beneficiary portal.
- May have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal.
- Do not result in a disclosure of PHI where a user might visit about a hospital’s job postings and visiting hours
- Deemed a disclosure of PHI when:
- Identifying information is collected while the user is seeking a second opinion on the treatment of a brain tumor
- Identifying information is collected when scheduling appointments or using a symptom-checker tool
- Mobile apps can collect information such as fingerprints, network location, geolocation, device ID, or advertising ID. These are generally considered to be PHI.
- Patients often use mobile apps to track information such as glucose levels and insulin doses; transmission of this information to a tracking technology vendor is considered a disclosure of PHI.
HIPAA Scope
Online Tracking Assessment Report
- Crawl the in-scope websites to identify calls to third-party resources.
- Review third-party resources to identify those implementing tracking or fingerprinting technologies.
- Identify the specific third-party resources on each crawled page potentially providing those features.
- Establish actionable recommendations.
- Provide a report on websites employing tracking or fingerprinting technologies.
- Ensure HIPAA Compliance with OCR guidance.