On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies, such as cookies, web beacons and pixels. The Bulletin aims to provide further clarity on when identifiable information collected by such tracking technologies may also constitute protected health information (PHI) as defined and interpreted under the HIPAA Rules. In such instances, the Bulletin instructs that the technology vendor may be seen as providing a service to the regulated entity that would, in light of the use and disclosure of PHI, create a direct or downstream business associate relationship. Accordingly, the Bulletin states that the regulated entities would need to enter into a business associate agreement (BAA) with the vendor of the technology (and the vendor would, in turn, become a regulated entity) and meet other requirements under the HIPAA Rules. The Bulletin provides long-awaited guidance to help regulated entities review their positions and procedures concerning tracking technologies to ensure that the trackers they implement either do not collect PHI or meet the prerequisites outlined in the Bulletin.
HHS Issues Guidance on Requirements Under HIPAA for Online Tracking Technologies, Addressing Privacy and Security Concerns Related to Health Information
By Jennifer S. Geetter, Elliot R. Golding, Amy C. Pimentel, Scott Weinstein, Edward G. Zacharias and Marine Margaryan on December 20, 2022
Posted In Privacy and Data Security
Jennifer S. Geetter
Jennifer S. Geetter advises global life sciences, health care and informatics clients on legal issues attendant to biomedical innovation, research compliance, financial relationship management, digital health practices, and global privacy and data security laws. Jennifer represents a broad range of clients. Read Jennifer Geetter's full bio.
Elliot R. Golding
Elliot Golding provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine Learning tools. He provides both day-to-day product counseling and helps companies develop global compliance programs that harmonize CCPA/CPRA (and equivalent laws in Virginia, Colorado, and Utah); GDPR and other international laws; specific rules in the highly regulated health and financial sectors (HIPAA/HITECH, ONC Information Blocking and CMS Interoperability Rules, 42 CFR Part 2, the Common Rule, GLBA, and state equivalents); marketing rules (TCPA, CANSPAM, and industry self-regulatory standards); security standards (such as PCI-DSS, NIST, and ISO); and many others. Elliot has also managed hundreds of breaches and ransomware attacks, guiding clients through all aspects of investigation, notification, remediation and engagement with regulators. Read Elliot Golding's full bio.
Amy C. Pimentel
Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.
Scott Weinstein
Scott A. Weinstein provides legal counsel on health care regulatory compliance, contracting and transactional due diligence, with a focus on health information privacy and security, Medicare and Medicaid's health information technology and quality reporting requirements, and clinical research regulations. Scott additionally provides legal counsel on federal and state privacy and data protection laws, with a focus on privacy audits and the development of internal and externally facing privacy policies for websites and mobile applications. Read Scott Weinstein's full bio.
Edward G. Zacharias
Edward G. Zacharias is the managing partner of McDermott’s Boston office. Clients across the healthcare industry and beyond turn to him for practical, business-oriented counsel on their most significant privacy and cybersecurity compliance, healthcare regulatory and transactional matters. Ed’s clients include “Big Tech” companies, health information technology and digital health companies, healthcare providers, insurers, electronic health record platforms, pharmacies, drug and device manufacturers, life sciences companies and health services vendors. Read Edward Zacharias' full bio.
Marine Margaryan
Marine Margaryan, CIPP/US focuses her practice on privacy and cybersecurity matters. She counsels clients on the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and other privacy laws and develops privacy and compliance programs. She also advises clients on privacy matters for new products and initiatives, cross-border data transfers and various state health privacy laws.
Jennifer S. Geetter advises global life sciences, health care and informatics clients on legal issues attendant to biomedical innovation, research compliance, financial relationship management, digital health practices, and global privacy and data security laws. Jennifer represents a broad range of clients. Read Jennifer Geetter's full bio.
Elliot R. Golding
Elliot Golding provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine Learning tools. He provides both day-to-day product counseling and helps companies develop global compliance programs that harmonize CCPA/CPRA (and equivalent laws in Virginia, Colorado, and Utah); GDPR and other international laws; specific rules in the highly regulated health and financial sectors (HIPAA/HITECH, ONC Information Blocking and CMS Interoperability Rules, 42 CFR Part 2, the Common Rule, GLBA, and state equivalents); marketing rules (TCPA, CANSPAM, and industry self-regulatory standards); security standards (such as PCI-DSS, NIST, and ISO); and many others. Elliot has also managed hundreds of breaches and ransomware attacks, guiding clients through all aspects of investigation, notification, remediation and engagement with regulators. Read Elliot Golding's full bio.
Amy C. Pimentel
Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.
Scott Weinstein
Scott A. Weinstein provides legal counsel on health care regulatory compliance, contracting and transactional due diligence, with a focus on health information privacy and security, Medicare and Medicaid's health information technology and quality reporting requirements, and clinical research regulations. Scott additionally provides legal counsel on federal and state privacy and data protection laws, with a focus on privacy audits and the development of internal and externally facing privacy policies for websites and mobile applications. Read Scott Weinstein's full bio.
Edward G. Zacharias
Edward G. Zacharias is the managing partner of McDermott’s Boston office. Clients across the healthcare industry and beyond turn to him for practical, business-oriented counsel on their most significant privacy and cybersecurity compliance, healthcare regulatory and transactional matters. Ed’s clients include “Big Tech” companies, health information technology and digital health companies, healthcare providers, insurers, electronic health record platforms, pharmacies, drug and device manufacturers, life sciences companies and health services vendors. Read Edward Zacharias' full bio.
Marine Margaryan
Marine Margaryan, CIPP/US focuses her practice on privacy and cybersecurity matters. She counsels clients on the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and other privacy laws and develops privacy and compliance programs. She also advises clients on privacy matters for new products and initiatives, cross-border data transfers and various state health privacy laws.
Related Posts
- OCR Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys
- OCR Update on Tracking Technologies Provides Little Relief for HIPAA-Regulated Entities
- 7 Tips to Avoid Compliance Missteps During Open Enrollment
- Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws
- HIPAA Privacy and Security Compliance for Group Health Plan Sponsors
BLOG EDITORS
STAY CONNECTED
TOPICS
ARCHIVES
RECENT POSTS
- Will the Affordable Care Act Survive a Trump Presidency?
- DOJ Proposes Restrictions on Transactions Involving Bulk Sensitive Data, Including Health Data
- Virtual Care Policy Update: What to Expect in Lame Duck
- Unpacking the Over-the-Counter Contraception Proposed Rule
- IRS Releases Regulatory Notices Related to Health Plan Coverage of Contraceptives