Office of Civil Rights Provides Updated Guidance on HIPAA and the Use of Tracking Technologies
April 18, 2024
Overview
On March 18, 2024, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released a bulletin updating guidance on the use of online tracking technologies by HIPAA covered entities and their business associates. The bulletin, which updates OCR’s December 2022 guidance on the same topic, follows renewed warnings from OCR on the dangers of online tracking technologies and comes amidst increased attention to the privacy risks that these technologies pose
On March 18, 2024, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released a bulletin updating guidance on the use of online tracking technologies by Health Insurance Portability and Accountability Act (HIPAA) covered entities and their business associates. The bulletin, which updates OCR’s December 2022 guidance on the same topic, follows renewed warnings from OCR on the dangers of online tracking technologies. Increasingly, OCR and other regulators are emphasizing the privacy risks that these technologies pose when they collect highly sensitive data like identifying information, diagnoses, treatment plans, frequency of visits to a health care provider, and billing information. The failure to safeguard this data can harm individual dignity, lead to stigma and harassment, and threaten patients’ health and safety, among a host of other negative outcomes. This article provides an overview of OCR’s guidance for HIPAA covered entities and business associates, highlighting updates since December 2022 and implications for compliance and privacy.
Regulated Entities’ Obligations
A tracking technology is “a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app.” OCR’s guidance identifies the obligations of HIPAA covered entities and their business associates (collectively, “regulated entities”) that share protected health information (PHI) with third party tracking technologies. Principally, when the information shared with a tracking technology vendor by a regulated entity constitutes PHI, that information may only be used and disclosed in accordance with the HIPAA Privacy Rule. If a tracking technology vendor meets the HIPAA definition of business associate, the regulated entity must enter into a business associate agreement with the vendor to ensure protection of PHI in accordance with HIPAA. Additionally, electronic PHI collected by a tracking technology vendor must be safeguarded in compliance with the HIPAA Security Rule. The March 2024 update identifies Security Rule compliance as an area of priority in OCR’s investigations of tracking technologies.
Applying the PHI Definition
Whether information collected by tracking technologies constitutes PHI is a primary focus of OCR’s guidance. PHI includes individually identifiable information held or transmitted by a regulated entity that relates to an individual’s past, present, or future health, health care, or payment for health care. According to OCR, an IP address, geographic location, device ID, or other information that identifies an individual or that reasonably could be used to identify an individual may be PHI if combined with information related to the individual’s past, present, or future health, health care, or payment for health care.
OCR’s guidance addresses three types of platforms that may share PHI with tracking technology vendors: user-authenticated webpages, mobile apps, and unauthenticated webpages. User-authenticated webpages, which require a user to log in to access the page, and mobile apps offered by regulated entities are often used for purposes like viewing test results and treatment plans, scheduling appointments, and managing payments. Generally, tracking technologies on such platforms have access to PHI, as they collect identifiable information (device IDs, names, credentials, etc.) and information on these platforms typically relates to the users’ health, health care, and/or payment.
Many regulated entities also maintain unauthenticated webpages, which do not require a user to log in before accessing them. Determining whether information on an unauthenticated webpage meets the definition of PHI can be more complex. Unlike patient portals or apps, individuals may use publicly accessible websites for a range of purposes, some of which may relate to their personal health, health care, or payment and some of which may not. Acknowledging this variation, OCR’s December 2022 bulletin stated that the information collected by tracking technologies on unauthenticated webpages generally does not meet the definition of PHI but may in certain circumstances, such as where the webpage addresses specific health conditions or allows users to search for appointments with providers.
In its March 2024 update, OCR clarified that whether a tracking technology has access to PHI on a regulated entity’s unauthenticated webpage may depend on an individual’s reason for visiting the page. The bulletin illustrates this with an example of an unauthenticated webpage detailing a hospital’s oncology services. According to the bulletin, if a tracking technology collects an individual’s identifying information when they access the webpage to decide whether to obtain cancer treatment at the hospital, then their activity on the webpage meets the definition of PHI to the extent that it is identifiable and relates to their health or future health care. Conversely, if an individual accesses the webpage while conducting research for a paper about the availability of oncology services (and not for any purpose related to their own health), their activity on the webpage would not be PHI, as it would not relate to their past, present, or future health, health care, or payment.
This update comes amidst legal challenges to OCR’s treatment of unauthenticated webpages, which some regulated entities view as overreaching and inconsistent with HIPAA. In November 2023, the American Hospital Association, among other plaintiffs, filed a complaint against the OCR Director, the HHS Secretary, and the United States in federal district court, challenging the December 2022 guidance. The plaintiffs dispute the position that a tracking technology’s collection of an individual’s IP address in combination with their visit to a regulated entity’s unauthenticated webpage addressing specific health conditions or health care providers is subject to HIPAA. According to the plaintiffs, this position is inconsistent with the statutory and regulatory definition of PHI. The plaintiffs additionally contend that OCR’s guidance is arbitrary and capricious, violates the Administrative Procedure Act, and raises First Amendment concerns. The litigation is ongoing.
Implications for Compliance and Individual Privacy
The March 2024 update raises important considerations for regulated entities that use tracking technologies. Regulated entities may not know the reason for which an individual accesses a webpage. Thus, complying with the updated guidance may require treating as PHI an individual’s visit to any webpage that could disclose information about their past, present, or future health, health care, or payment.
Moreover, the update underscores OCR’s heightened focus on the use of tracking technology vendors and the gravity of related privacy concerns. Regulated entities may use tracking technologies for valuable purposes, such as improving the accessibility of webpages and tailoring information to patients’ needs. But information collected by tracking technologies may be highly sensitive, and its disclosure could result in discrimination, financial loss, mental anguish, and erosion of trust, among other negative outcomes. For example, tracking technology vendors may have access to PHI related to abortion care and other reproductive health services, the disclosure of which can result in harassment and criminalization of care. And vendors’ use or sale of PHI for marketing purposes could result in patients receiving targeted advertisements for unnecessary and even harmful services. Regulatory frameworks must balance the benefits of tracking technologies with the need to mitigate the risks of these harmful outcomes.
This post was written by Emma Kaeser, Staff Attorney, Network for Public Health Law —Mid-States Region.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.