OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued updated guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of online tracking technologies. The updated guidance is intended to provide greater clarity for HIPAA-regulated entities on the use of these technologies. OCR has changed its position on how HIPAA applies to the use of these technologies, specifically regarding IP addresses, which OCR has clarified are not always considered PHI.
Why OCR Issued Guidance on Online Tracking Technologies
OCR first issued the guidance in December 2022 after research into the use of these technologies revealed that most U.S. hospitals had added these technologies on their websites, which transmit user data to third parties such as Meta (Facebook), Google, and others. A variety of user data is collected and transmitted about users’ interactions on websites and apps, and some of that data can include protected health information.
The initial guidance explained that these technologies could not be used by HIPAA-regulated entities unless there was a business associate agreement in place with the provider of the technologies and the disclosures of protected health information are permitted by the HIPAA Privacy Rule. Alternatively, consent must be obtained from individuals before the information is transmitted to third parties. OCR has previously stated that non-compliant use of online tracking technologies is an enforcement priority, and in July 2023, OCR and the Federal Trade Commission (FTC) sent warning letters to around 130 hospitals and telehealth providers about the risks of using these technologies and the potential for impermissible disclosures of PHI.
OCR Sued Over its Tracking Technology Guidance
Since the providers of these technologies typically do not sign business associate agreements with HIPAA-regulated entities and obtaining consent from individuals is costly and challenging, these technologies can generally not be used by HIPAA-regulated entities without risking violating the HIPAA Rules. The American Hospital Association (AHA) urged OCR to reconsider its guidance, and when OCR failed to do so, AHA filed a lawsuit challenging the legality of the guidance. The AHA maintains that these technologies are critical to the function of websites, and that prohibiting their use ultimately harms healthcare providers and patients. Further, while HIPAA-regulated entities were not permitted to use these technologies, the code remained on many government websites, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Online Tracking Technology Guidance Clarifies OCR’s Position
OCR’s updated guidance provides a general overview of how the HIPAA Rules apply to the use of tracking technologies and includes additional examples of when the code can and cannot be used, tips for complying with HIPAA, and OCR’s enforcement priorities regarding online tracking technologies. In the updated guidance, OCR stressed that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Protected health information is information that relates to the past, present, or future health, health care, or payment for health care, that has identifiers that link that information to an individual or allow that individual to be identified.
If any of that information is collected on a web page, the technologies cannot be used without a business associate agreement with the provider of the code and the disclosures must be permitted by the HIPAA Privacy Rule, or consent must be obtained from individuals. Consent cannot be obtained by including information about these disclosures in the Notice of Privacy Practices, via a pop-up on the websites or banner stating that use of the site may involve the disclosure of health information to a third party, or by asking a user to either accept or reject cookies. A valid HIPAA authorization is required.
OCR suggests that if a vendor will not sign a BAA covering the use of the code, then a different vendor should be found that will sign a BAA. Alternatively, a customer data platform vendor could be used, which de-identifies the PHI before the information is sent to a third party. It is not permitted to transfer PHI to a vendor without a BAA even if the vendor claims that they will strip out any identifying information after the disclosure. The collection of PHI is more likely on user-authenticated pages such as patient portals; however, there is the potential for PHI to be disclosed on unauthenticated web pages. For instance, on an appointment booking page that collects no health information, if the user enters their email address and that information is transmitted to a third party, that would be classed as an impermissible disclosure of PHI.
For some web pages, the nature of the visit determines whether HIPAA applies. Specifically, the guidance clarifies how IP addresses apply. IP addresses allow an individual to be identified and therefore, according to the initial guidance, would be classed as protected health information regardless of the nature of the visit to a web page. OCR has clarified that the nature of the visit is relevant, which was no doubt prompted by the AHA lawsuit. OCR said IP addresses are only protected health information in certain circumstances.
For instance, if a student is searching for information on oncology services when researching the availability of those services pre- and post-pandemic, the collection and transmission of their IP address and other personally identifiable information to a third party without a BAA is not a HIPAA violation, as HIPAA does not apply as there is no PHI involved. If a patient is visiting the same pages to get a second opinion about their diagnosis or cancer treatment, the transmission of the same data would be a HIPAA violation without a BAA, as that information would be classed as PHI. This is not a major change of position for OCR, it is a clarification of what OCR intended when the guidance was released. OCR appears to be clarifying that the guidance does not overstretch the definition of protected health information as the AHA lawsuit claims, and has been questioned in other lawsuits, it simply means that there is potential for online tracking technologies to collect PHI and HIPAA-regulated entities must therefore make sure that they implement safeguards to prevent such impermissible disclosures.
OCR explained its enforcement priorities with respect to online tracking technologies and said it is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. “OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI,” explained OCR in the guidance. “OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.”
The problem for hospitals is the clarification changes little. Determining the nature of the visit and whether the interactions on a web page involve or do not involve PHI will be near impossible, therefore, hospitals will have to err on the side of caution and not use these technologies, and the issues raised by AHA will still need to be resolved through legal action.
