HHS Updated: March 18th, 2024
The Department of Health and Human Services (HHS) has provided updated information about user tracking on websites and mobile apps. This update highlights that browsing data tied to a patient’s healthcare needs remains safeguarded under HIPAA. The updated guidance emphasizes that simply having consent banners is insufficient for compliance. HHS considers the intent of a user’s visit to determine HIPAA compliance. If the visit is related to past, present, or future healthcare needs, the data is covered. Healthcare systems will face challenges in determining individual user intent. In most cases, by default, this guidance changes nothing about the high compliance and privacy standards. These standards are applied to the digital properties of ‘covered entities’ under HIPAA.
This guidance also emphasizes that merely adding a cookie or consent banner to your website isn’t sufficient for compliance. From the guidance: “Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.” The guidance reinforces that A BAA is required with a tracking vendor to collect information in a HIPAA-compliant way.
The release provides two specific examples of actions to take when a tracking vendor refuses to sign a BAA with you:
- Prior to the transmission of data to the third-party tool, you must remove PHI information from the data (de-identify the data): “If there is not an applicable Privacy Rule permission or if the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor.”
- Or, if you wish, you may contact each individual from whom you have collected data and obtain their written consent before transmitting data to a third-party vendor.
This reaffirms HHS’s previous stance, especially significant considering the lawsuits from Texas hospitals challenging it. The first of these standards is possible with a selection of paid tools. The second of these standards will be challenging to the point of impracticality for most healthcare organizations.
Additionally, a reputable law firm offers further insights.
To access the complete release from the Department of Health and Human Services, please click here.