AHA Calls for HHS to Drop Website Tracking Technology Rule
The American Hospital Association (AHA) has called for Congress to urge the Department of Health and Human Services to withdraw its new rule that prohibits HIPAA-regulated entities from using online tracking technologies on their websites and applications.
The AHA represents more than 5,000 member hospitals, health systems, and other healthcare organizations, and its clinician partners include more than 270,000 affiliated physicians and 2 million nurses and other caregivers. The AHA requested the withdrawal of the rule in its response to Sen. Bill Cassidy’s recent request for information on health information privacy and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Online tracking technologies include Google Analytics and Meta Pixel code, which are used by hospitals for collecting and analyzing information about how individuals interact on their websites. The information collected through these tools helps hospitals to make improvements to their online portals and provide relevant and reliable health information to their communities. A study conducted in 2019 on the websites of 3,747 U.S. hospitals found that 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% had at least one third-party cookie. These tracking technologies may pass identifiable health information to third parties such as Google and Meta, based on a user’s interaction on websites.
In December 2022, the HHS issued guidance on HIPAA and tracking technologies and prohibited the use of these tools unless consent to collect data was obtained or a valid business associate agreement was in place. Many of the companies that provide the tracking code refuse to enter into business associate agreements with customers, which means their tracking technologies cannot be used by HIPAA-regulated entities.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“OCR precipitously upended the balance that HIPAA strikes, contravening its own efforts to encourage hospitals to share non-private healthcare information with the public,” wrote the AHA in its response to Sen. Cassidy’s RFI. “Without consulting health care providers, third-party technology vendors, or the public at large, the agency issued a sub-regulatory guidance document that has had profound effects on hospitals, health systems, and the communities they serve.
The AHA believes the HHS’ Office for Civil Rights went too far when it took the position that an IP address coupled with a visit to a public webpage that addresses specific health conditions or healthcare providers counts as protected health information. OCR’s position means IP addresses must be protected even when patients are not seeking medical care, such as if they are visiting a website to find out information about a medical condition affecting a friend or relative, conducting research, seeking general health information, or information about the hospital itself where they may not be a patient. The AHA points out in its response that courts have already concluded that the interpretation of individually identifiable health information (IIHI) offered by HHS in its guidance goes well beyond the meaning of what the statute can bear.
The AHA claims that by preventing hospitals from analyzing important visitor data, meaningful harm is caused to patients and public health. In addition to analytics tools, hospitals use video technologies that provide important health information to the public and map and location technologies that enable the provision of better information about where health services are available. If OCR maintains its position, valuable patient services such as these may not be provided and that would be to the detriment of patients and public health. The AHA has called for OCR to immediately withdraw its rule.
