Aaron Maguregui Assesses New Third-Party Tracking Guidance Update
Foley & Lardner LLP partner Aaron Maguregui comments on the U.S. Health and Human Services Office for Civil Rights’ (OCR) recently updated guidance on third-party tracking technology in the HealthITSecurity article, “How updated third-party tech guidance affects compliance efforts.”
“It’s really those third-party tracking technologies that are used for purposes of targeted marketing that the guidance is looking to regulate,” Maguregui noted, emphasizing that not all third-party technologies are a compliance risk or within the guidance’s scope.
Critiquing the guidance’s expectation for covered entities to discern the intent of website visitors, he said, “The only way to infer intent is seeing what a user clicks on when they reach the landing page. If you can’t glean from that limited information, then you’re essentially as in the dark as before.”
Maguregui advised HIPAA-covered entities to have a business associate agreement in place if they are working with a tracking technology vendor accessing automatically collected website data and stressed the importance of understanding data collection, usage, and disclosure, particularly around protected health information (PHI).
“The best practice here is to go through every aspect of your workflow and figure out, first of all, what data are you collecting? Second, what kind of story are you building on that user?” he added. “And if you are ultimately building a medical record or a subset of data that will ultimately be used to treat that patient, it’s likely going to be PHI.”
(Subscription required)
