On March 18, 2024, the Office for Civil Rights (“OCR”) issued an update to its December 2022 Bulletin regarding the usage of online tracking technologies by HIPAA-regulated entities. When originally published, the Bulletin aimed to clarify when identifiable information collected by tracking technologies on a regulated entity’s website may constitute protected health information (“PHI”) as defined and interpreted under the HIPAA Rules. The Bulletin’s stated purpose was to help regulated entities review their use of tracking technologies to ensure that the technologies they utilize either do not collect and transmit PHI or meet the prerequisites outlined in the Bulletin.
OCR is now revising the Bulletin to offer additional clarity to regulated entities and the public regarding the use of tracking technologies. Notably, these revisions are being made in the context of a pending lawsuit that the American Hospital Association (“AHA”) filed against OCR seeking to enjoin OCR from enforcing the Bulletin and to obtain a declaratory judgment that IP addresses are not individually identifiable health information (“IIHI”) under HIPAA. According to public court filings in that case, OCR believed that it could revise the guidance in a manner that would render further litigation unnecessary. However, settlement discussions between the AHA and OCR appear to have reached an impasse days before the revised Bulletin was issued, which means that the revisions likely did not go far enough to satisfy the AHA’s concerns.
The updated Bulletin offers some clarification but does not vary materially from the previous version issued in December 2022. Some key observations regarding the updated Bulletin include:
- OCR attempted to soften some language regarding when IP addresses may be considered IIHI for purposes of HIPAA, stating that an IP address of a user’s device (or other identifying information) together with a visit to a webpage addressing specific health conditions or listing health care providers is not sufficient to constitute IIHI “if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”
- However, OCR maintains the position that IP address, geographic location or other identifying information sent while an individual is seeking information regarding their own health would constitute a disclosure of PHI.
- OCR did not change the Bulletin’s guidance regarding the usage of tracking technologies on authenticated portions of a regulated entity’s website, such as patient portals. OCR thus appears to be standing firm on its position that transmission of an IP address or other identifying information through tracking technologies on authenticated pages does constitute PHI.
- The revised Bulletin adds several examples of how the usage of tracking technologies on unauthenticated pages may disclose PHI to tracking vendors based on the purpose the pages serve. For example, tracking technologies on a regulated entity’s careers pages would not involve PHI, but on an appointment scheduling page would involve PHI.
- Likewise, the use of tracking technologies on unauthenticated pages may disclose PHI to tracking technology vendors based on the purpose of the individual’s visit to a particular page. For example, if a student visits a webpage for a school-related research activity, it would not result in disclosure of PHI because they are not visiting the website for their past, present or future heath, health care or payment for health care. Conversely, if that same student visits a webpage to research information regarding their own health care, it would result in a disclosure of PHI.
- OCR explicitly recognized and approved regulated entities to utilize other vendors, such as a Customer Data Platform vendor that is willing to sign a business associate agreement (“BAA”), to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.
- OCR added a new section regarding enforcement priorities, stating that their principal interest in investigations regarding this issue will be to ensure that regulated entities have complied with the core HIPAA Security Rule requirements to perform a risk analysis and implement a risk management plan that addresses tracking technologies. OCR added that its investigations will be fact-specific and can involve the review of technical information regarding the use of tracking technologies.
Practical Takeaways
The revised Bulletin did not materially change OCR’s interpretation or approach with respect to the use of tracking technologies on regulated entity websites. From our review of the revised Bulletin and our experience in OCR tracking technology investigations, we make the following observations and recommendations:
- The absence of material revisions to many of the key questions that the original Bulletin raised is likely the reason that the settlement discussions between AHA and OCR did not progress. Regulated entities should continue to monitor that case for future developments that could impact the application of the guidance.
- For unauthenticated pages that do not perform a specific treatment or payment purpose, OCR stuck with its inherently subjective standard for determining whether the information is PHI by basing it on the purpose for which an individual is visiting the website. OCR did not clarify how a regulated entity would know whether a given website visitor is seeking information regarding their own health condition or the standard to which OCR will hold regulated entities for making that determination. This continued uncertainty leaves regulated entities with little choice but to treat most website visitor activity as covered by HIPAA.
- OCR did not provide any further clarification on how it would assess tracking technology matters under the breach notification rule, and particularly whether OCR believes that a regulated entity could reasonably demonstrate a low probability of compromise when the only identifier involved is an IP address, as is commonly the case.
- When considering whether and how to deploy web tracking technologies, organizations should evaluate the content and nature of the webpages where tracking technologies are present, as follows:
- Tracking technologies should not be present on authenticated pages or on unauthenticated pages that perform a specific treatment-related function (e.g., appointment scheduling, health risk assessments, etc.) unless a BAA is in place to cover any disclosures of PHI that may occur.
- Tracking technologies are permissible even without a BAA if they are on a portion of a regulated entity’s website that is unrelated to a website visitor’s health, such as a careers page.
- Regulated entities should consider whether they can architect their web pages in a manner that segregates pages that could transmit PHI from pages that do not transmit PHI.
- Given OCR’s position that a website visitor’s subjective intent is material to the determination of whether PHI could be transmitted, regulated entities may want to consider acting as if all of their webpages could transmit PHI except for those pages that clearly serve a purpose that does not relate to a website visitor’s health.
- Because OCR did not materially change its position from the original Bulletin, we recommend that regulated entities who have not already done so conduct a legal and forensic review of the data shared with tracking vendors via tracking technologies on their websites and take appropriate steps to mitigate the risk of unauthorized disclosures that may be occurring.
If you have any questions or would like more information on this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Philip Davis at (317) 977-1412 or pdavis@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
