On March 18, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) revised its guidance on the "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates."
The impact of the revised guidance
The OCR’s revisions to the guidance did not substantively change the prior guidance and are focused primarily on issues related to the use of tracking technology on unauthenticated webpages.
The most significant revision is a clarification that online tracking technology that “connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute individually identifiable health information (IIHI), if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.” Information must also be IIHI to meet the definition of protected health information (PHI).
In connection with that clarification, the OCR provided the following examples of the types of visits to unauthenticated webpages that would not be related to an individual’s past, present, or future health, health care, or payment for health care:
A user looking for information about visiting hours.
A student researching the changes in the availability of oncology services before and after the COVID-19 public health emergency.
However, as the guidance notes, if tracking technologies are accessing information from an unauthenticated webpage identifying that individual and the fact that they are seeking healthcare services, such as seeking a second opinion on a diagnosis, scheduling an appointment, using a symptom analysis tool, and identifying information about that individual, that tracking technology has access to PHI.
Why did the OCR revise the guidance?
The OCR's clarification appears to be a response to the ongoing lawsuit filed by the American Hospital Association and others, in response to the OCR’s 2022 guidance related to unauthenticated webpages (the “2022 Guidance”). The lawsuit alleged, among other things, that the 2022 Guidance, which stated that “[t]racking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, . . . may have access to PHI in certain circumstances” improperly expanded the definition of IIHI beyond its statutory and regulatory definitions.
Key takeaways
Practically speaking, absent a gating mechanism to accurately discern a user’s intentions, it is impossible to know with any certainty why any individual chooses to visit an unauthenticated webpage that includes health condition or health provider information, so the revised guidance is very much aligned with the 2022 Guidance. As a result, HIPAA regulated entities should still take steps to:
Identify the tracking technologies deployed on their unauthenticated webpages in light of the content of those webpages, e.g., is there information about health conditions or providers on those pages, or is it merely information about job postings.
If tracking technologies are deployed on unauthenticated webpages, determine whether the technologies may be accessing information about an individual seeking information related to their own past, present, or future health care or payment for health care, as well as an identifier. If so, ensure that there is a Business Associate Agreement in place with that tracking technology vendor.
Alternatively, consider implementing technical solutions that will eliminate the necessity of sharing IIHI with the tracking technologies.
Examine past deployments of tracking technologies on webpages and determine if disclosures of PHI to tracking technology vendors constitute a breach of PHI, necessitating further steps to ensure compliance with the HIPAA beach notification rule.
Lastly, assess whether the information disclosed to tracking technologies that is not PHI may still be health information under other state laws and subject to other requirements.
Sheila Sokolowski is a Partner at Hintze Law PLLC and is Co-Chair of the firm’s Health and Biotech Privacy Group. She is ranked by Chambers USA and counsels clients across industries on data privacy and security risk mitigation and management strategies.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.