Did you get a chance to see the eclipse yesterday? We hope you kept your eyes protected!
Well, unlike the eclipse, we’re not going to leave you in the dark (see what we did there?) on the latest compliance news.
The Office for Civil Rights (OCR), recently updated its guidance on online tracking technologies for Covered Entities (CEs) and Business Associates (BAs).
Want to see how this affects you? We’re here to help shed some light on what this new guidance means for your practice or business.
What are online tracking technologies?
You might be wondering: what are online tracking technologies?
Online tracking technologies are tools that websites, or apps, use to track consumer behavior. Examples of online tracking technologies include cookies, web beacons, and tracking pixels. These technologies embed code on a webpage that can store and share information about a viewer of a website.
This information includes:
- IP Address
- Location of User
- Browser & Device Information
- Other unique identifiers
Now, you might ask why healthcare organizations might use technology like this since it does straddle a HIPAA fine line. It’s true, online tracking and healthcare data seem like an uneasy mix, but can be beneficial if done correctly.
Online tracking allows website owners to learn more about their viewers. In the case of healthcare, analytics can be key. For example, by using online tracking to see if people in a certain area are searching for information about a specific treatment, healthcare organizations could gain valuable insights. This information could then be used to make more informed decisions about allocating resources in that area.
Analytics can be extremely worthwhile in healthcare, but it all depends on how you safely use tracking technology to ensure the privacy of your patients.
Striking a Balance
The OCR has come out and given guidance on compliant tracking technology.
This is in the wake of major fines coming out regarding tracking technology, like the NewYork-Presbyterian Hospital being fined $300,000 due to improper online tracking.
First, tracking technology vendors, like the marketing companies you work with, must sign a Business Associate Agreement (BAA). A BAA outlines your business partnership with a BA or sub-BA, and ensures accountability between both parties regarding HIPAA. Like most things in compliance, there’s never too much paperwork!
Next, HIPAA rules apply to user-authenticated pages. User-authenticated pages include password-protected sections of a website, like patient portals. These pages include sensitive Protected Health Information (PHI), like addresses, medical records, and more, directly identifying a user on the website.
For unauthenticated pages, like a hospital’s generic website, most of the time, HIPAA does not apply. This is because tracking technologies on these sites do not have access to individuals’ PHI. However, if it does, then HIPAA would apply. Context also matters, too. Overall, HIPAA only applies if the information disclosed is related to an individual’s past, present, or future health, health care, or payment for health care.
Tracking on mobile apps also falls into this guidance. If a mobile app is offered by a CE or BA that collects a variety of information about a user like a health clinic’s diabetes management mobile app to track glucose levels, would be PHI. If a user is voluntarily uploading health information on a health app, then HIPAA does not apply.
Additionally, ensure the minimum necessary information is tracked to keep your patients’ information safe.
How can Abyde help?
With the rise of new technologies, practices and businesses must navigate how to use these new tools wisely.
Well, think of Abyde as your compass. Abyde simplifies compliance with our software solution. Our software offers a variety of resources, helping you stay on track when it comes to compliance. For instance, the BAAs that must be signed? You can complete them in seconds, with our dynamically generated documentation, with all that’s needed from you is a signature. Need training? We have a training portal in the software! Overall, we have a lot of resources to make compliance easy!
To learn more about how this new guidance affects your practice or business, email us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates.