HHS Releases Recommendations On Online CRM Tracking Tools


The Privacy, Security, and Breach Notification Rules of HIPAA, which apply to regulated companies and business partners when employing online monitoring technology, are highlighted in a bulletin from the U.S. Department of Health and Human Services.

These tracking systems have raised various questions about the security of patient data and led to a number of class-action lawsuits, posing a new problem for healthcare companies.

HHS has released a new advisory that discusses how online monitoring tools like Google Analytics and Meta Pixel gather data on how people engage with websites and mobile apps operated by entities subject to HIPAA regulations. The organisation states that governed entities are not permitted to use tracking technologies in a way that may result in unlawful leaks of ePHI to tracking technology suppliers or any other breaches of the HIPAA Rules.

The advisory describes what tracking technologies are, how to use them, and the precautions that healthcare organisations and others employing tracking technology under HIPAA must take to secure protected health information.

The Bulletin offers information about and instances of:

  • Monitoring on websites.
  • Tracking through smartphone apps.
  • Regulated entities have HIPAA compliance duties when utilising tracking technologies.

The HHS warning makes it clear that PHI disclosure is prohibited when pixels are used for customer relationship management procedures. It also explains when authorizations that comply with HIPAA are necessary.

Furthermore, the FDA claims that charging providers of monitoring technology with erasing or de-identifying PHI is insufficient.

Providers, health plans, and companies subject to HIPAA regulation, such as technology platforms, are required to abide by the law. This implies that while utilising tracking technologies, the dangers to patient health data should be taken into account, said Melanie Fontes Rainer, director of the HHS Office of Civil Rights.

This advisory offers guidance on how to safeguard the privacy and security of personal health data held by those who use tracking technologies.