> Regulated entities may also have unauthenticated webpages, which are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures. Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. Regulated entities are required to “[e]nsure the confidentiality, integrity, and availability of all electronic PHI the [regulated entity] creates, receives, maintains, or transmits.” Thus, regulated entities that are considering the use of online tracking technologies should consider whether any PHI will be transmitted to a tracking technology vendor, and take appropriate steps consistent with the HIPAA Rules.