Publication
International Restructuring Newswire
Welcome to the Q2 2024 edition of the Norton Rose Fulbright International Restructuring Newswire.
OCR warns impermissible use of online trackers can violate HIPAA
Regulated entities must ensure disclosures to tracking technology vendors are permitted and enter into a business associate agreement
United States | Publication | December 2022
On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a 12-page Bulletin highlighting the obligations of HIPAA covered entities (including providers and health plans) and business associates that use online tracking technologies on websites or mobile applications. The Bulletin cautions that HIPAA-regulated entities are not permitted to use tracking technologies in a manner that results in impermissible disclosures of protected health information (PHI) to tracking technology vendors or any other violations of the HIPAA Privacy, Security and Breach Notification Rules. To that end, regulated entities must ensure that such disclosures are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors “to ensure PHI is protected in accordance with HIPAA Rules.”
For a detailed overview of the Bulletin, including technical steps you can take, please see the following blog post, "HHS: Online trackers without prior authorization and BAAs can violate HIPAA," produced by Norton Rose Fulbright’s dedicated Information Governance, Privacy and Cybersecurity practice group.
Recent publications
Subscribe and stay up to date with the latest legal news, information and events . . .