Updated HIPAA Guidance on Use of Online Tracking Technologies, by Abbye Alexander, Esq. and Christopher Tellner, Esq., 5-14-2024
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently updated its guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) regarding the use of online tracking technologies.
Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, to track and collect information from users. They do this in various ways, many of which are not apparent to the website or mobile app user and may run afoul of HIPAA rules.
Given the proliferation of tracking technologies collecting sensitive information, OCR is providing the guidance “as a reminder that it is critical for regulated entities to ensure that they disclose protected health information (PHI) only as expressly permitted or required by the HIPAA Privacy Rule,” according to the agency.
Background
OCR originally released guidance December 2022, but got legal backlash from the American Hospital Association (AHA) who sued the agency November 2023 to “bar enforcement of a December 2022 rule that restricts the use of standard third-party web technologies that capture IP addresses on portions of hospitals’ public facing webpages,” according to the AHA. The AHA was joined by the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in filing the lawsuit.
According to the OCR, the agency updated its guidance to increase clarity for regulated entities in the public. Still, the AHA maintains that the updated guidance “suffers from the same basic substantive and procedural defects as the original one,” noting “the modified rule will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need.”
Impermissible Disclosures
Still, OCR stands firm that “regulated entity’s failure to comply with the HIPAA rules may result in a civil money penalty.”
The guidance makes unequivocally clear that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures, according to the agency.
Much of the original guidance is in the update, but the updated guidance does attempt to clarify certain points including that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute individually identifiable health information (IIHI) if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”
For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s PHI to tracking technology vendor.
The guidance also explains when tracking technologies used on unauthenticated webpages could capture PHI. The agency defines unauthenticated webpages as webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures.
For example, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care, according to the guidance.
But some critics argue that the guidance still does not provide clarity regarding how a regulated entity can determine the purpose of a webpage visitor’s intent in browsing a site.
Additional Requirements
Separately, the guidance also clarifies certain requirements including the obligation of a covered entity to establish a business associate agreement (BAA) with a tracking technology vendor that specifies the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents including breaches of unsecured PHI, to the regulated entity among other requirements.
Given this revised guidance, it is clear this is a hot-button issue OCR will continue to focus on. While enforcement of this guidance could be impacted by the AHA’s pending litigation, covered entities should continue to assess their use of online tracking technologies.
If you need assistance navigating the new guidance, the Health Care/Managed Care attorneys at Kaufman Dolowich have a deep understanding of the complex legal landscape and rapidly changing regulatory environment that health care providers operate within and can help.