What is Online Tracking Technology, and How to Find and Remove Tracking Tech?

According to the HHS (U.S. Department of Health and Human Services), tracking technologies are tools that websites and mobile apps use to monitor what users do on their platforms. These tools help them understand how people use their services and improve them.

It's important to know that we're not just discussing cookies when discussing tracking technologies. These technologies can include various things like "web beacons" or "tracking pixels," "session replay scripts," and "fingerprinting scripts."

When these tracking technologies are used in mobile apps, they can keep an eye on things like your device's ID, where you are (your geo-location), or even your advertising ID. All this collected information helps the app owners and sometimes other companies, like advertisers, build profiles about you. These profiles are used to show you ads they think you might be interested in.

In simple terms, tracking technologies are tools that websites and apps use to watch what you do, gather information about you, and use that information to show you specific ads or improve their services.

Regulated organizations share information with tracking technology providers through tools on their websites or mobile apps. This information includes personally identifiable health data (IIHI) that individuals provide when using these platforms. It can encompass an individual's medical record number, home or email address, appointment dates, as well as their IP address, geographic location, medical device IDs, or unique identifying codes.

It's important to note that all IIHI collected on a regulated organization's website or app is generally considered Protected Health Information (PHI) and are certain online tracking technology health privacy risks. This applies even if the individual doesn't have an established relationship with the organization, and the IIHI, like IP addresses or location data, doesn't contain specific treatment or billing details such as dates and types of healthcare services.

This classification is because when a regulated organization collects an individual's IIHI through its website or app, it links that person to the regulated organization and should be concerned about growing online tracking technology health privacy risks. This connection indicates that the individual has received or will receive healthcare services or benefits from the covered entity, making it pertinent to the individual's past, present, or future health, healthcare, or payment for healthcare.

Regulated organizations share information with tracking technology providers through tools on their websites or mobile apps. This information includes personally identifiable health data (IIHI) that individuals provide when using these platforms. It can encompass an individual's medical record number, home or email address, appointment dates, as well as their IP address, geographic location, medical device IDs, or unique identifying codes.

It's important to note that all IIHI collected on a regulated organization's website or app is generally considered Protected Health Information (PHI). This applies even if the individual doesn't have an established relationship with the organization, and the IIHI, like IP addresses or location data, doesn't contain specific treatment or billing details such as dates and types of healthcare services.

This classification is because when a regulated organization collects an individual's IIHI through its website or app, it links that person to the regulated organization. This connection indicates that the individual has received or will receive healthcare services or benefits from the covered entity, making it pertinent to the individual's past, present, or future health, healthcare, or payment for healthcare.

When regulated organizations use tracking technologies and access Protected Health Information (PHI), they must follow HIPAA (Health Insurance Portability and Accountability Act) Rules to avoid online tracking technology health privacy danger.

Here are the critical requirements simplified:

1. Permission and Minimum Disclosure:

• Regulated entities can only disclose PHI to tracking tech vendors if allowed by the Privacy Rule.
• They should share the minimum necessary PHI to achieve the intended purpose.

2. Privacy Policy Not Enough:

• Simply mentioning tracking technologies in a privacy policy isn't sufficient.
• Regulated entities must ensure all vendors sign a Business Associate Agreement (BAA) before PHI disclosure.

3. HIPAA Authorization Needed:

• Individual HIPAA-compliant authorizations are necessary if there is no Privacy Rule permission or the vendor isn't a business associate.
• Banner notifications asking users to accept or reject tracking technologies aren't valid HIPAA authorizations.

4. Business Associate Agreement (BAA):

• Establish a BAA with tracking tech vendors.
• It must specify how the vendor can use and disclose PHI, ensuring PHI protection and reporting security incidents.

5. Vendor's Status as Business Associate:

• Determine if the tracking tech vendor meets the definition of a "business associate."
• Signing a BAA doesn't make them a business associate if they don't meet the definition.

6. Security Measures:

• Address tracking technologies in risk analysis and risk management processes.
• Implement security measures per the Security Rule, like encrypting transmitted ePHI and using authentication and audit controls.

7. Breach Notification:

• If there's an impermissible disclosure of PHI to a tracking tech vendor without Privacy Rule permission or a BAA, breach notification is required.
• Assume a breach of unsecured PHI unless there's a low probability of compromise.

In summary, regulated entities must be careful when using tracking technologies with access to PHI, ensuring compliance with HIPAA rules to protect patient information.