HHS Updates Its Guidance on Online Tracking Technologies – Controversy Remains

The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) recently updated its controversial, year-old guidance document on the use of online tracking technologies by healthcare providers and other HIPAA-regulated entities. Our analysis of the original guidance document may be found here.

The updated guidance comes in the wake of a lawsuit filed by the American Hospital Association (AHA) against HHS-OCR challenging the agency’s position that the use of standard third-party web technologies that capture IP addresses on healthcare organizations’ public-facing webpages violates HIPAA. The AHA brief described the original HHS-OCR rule on tracking technologies as “a gross overreach by the federal bureaucracy, imposed without any input from healthcare providers or the general public.”

HHS-OCR states that the purpose of the updated guidance is “to remind regulated entities and the public that the use of online tracking technologies is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules).” Despite the lawsuit and industry pushback, substantive updates to the guidance document are relatively minor and HHS-OCR continues to take a broad view of what constitutes protected health information (PHI) in online settings.

What Hasn’t Changed

The fundamental message of the HHS-OCR guidance remains the same:

Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.

Significantly, HHS-OCR has not changed its broad interpretation of what might constitute PHI when disclosed to a tracking technology vendor. HHS-OCR identifies the following types of information as examples of PHI that could be collected by tracking technologies: medical record number, home or email address, dates of appointments, IP address, geographic location, or device ID.

HHS-OCR continues to take the position that HIPAA can be triggered if a healthcare provider collects a person’s IP address (or other individually identifiable information) on its public-facing website, even if the person is not an existing patient of the healthcare provider. The updated guidance attempts to qualify this position by clarifying that “the mere fact that an online tracking technology connects the IP address of a user’s device … with a visit to a webpage addressing specific health conditions or listing health care providers” is not sufficient to constitute PHI “if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”

From a practical standpoint, this puts the burden on healthcare providers to determine a person’s reason for visiting their website and whether the visit is related to the past, present or future provision of healthcare – to read the mind of the person visiting the website. In many cases, this is going to be virtually impossible.

New Guidance on Public-Facing Websites

The updated guidance includes new examples of when visits to public-facing (unauthenticated) websites using tracking technologies result in the disclosure of PHI to a tracking technology vendor:

• If a person merely visits a hospital’s webpage that includes job postings or visiting hours, the use of tracking technologies to collect and transmit the person’s IP address (or other identifying information) would not trigger HIPAA because such information does not relate to the person’s health, healthcare, or payment for healthcare.
• A student is writing a term paper on the availability of oncology services before and after the COVID-19 public health emergency and visits a hospital’s webpage listing oncology services for research purposes. In this case, the use of tracking technologies to collect and transmit the student’s IP address (and other identifying information) would not trigger HIPAA because the student’s visit to the webpage was not related to the student’s own health, healthcare, or payment for healthcare.
• If a person visits a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the use of tracking technologies to collect and transmit the person’s IP address (or other identifying information) triggers HIPAA because such information relates to the person’s own health or future healthcare.

The challenge with these examples is they require the healthcare provider to know a person’s reason for visiting a website. How is a healthcare provider supposed to know whether someone visiting their oncology website is a student doing research or a potential patient seeking a new provider?

Do we envision a pop-up window asking, “Is your visit to this website related to your past, present, or future health, healthcare, or payment for healthcare?” Is it safer to forgo tracking technology altogether? Are there other feasible solutions? The new guidance does little to settle these questions.

New Guidance on BAA Requirements

If healthcare providers disclose PHI to tracking technology vendors, these vendors likely meet the definition of a “business associate” and therefore a Business Associate Agreement (BAA) is required. The new guidance provides a work-around that could help healthcare providers if their tracking technology vendor does not want to sign a BAA. Without the BAA, the healthcare provider cannot disclose PHI to the vendor. The healthcare provider could strip out the PHI themselves, sending only non-PHI to the vendor, or could hire another vendor to do the data stripping for them.  In the latter case, a BAA with the data stripping vendor would be required. No BAA would be necessary with the vendor who receives only non-PHI.

Tips & Takeaways

The updated guidance document does not significantly change HHS-OCR’s previous position on tracking technologies. Here are some compliance tips for healthcare organizations in light of the current guidance:

1. Identify web tracking technologies used on all your organization’s websites and apps. This includes tracking technologies employed directly by your organization or via a third party.
2. Ensure that the use of online tracking technologies is consistent with HIPAA, including tracking technologies used on public-facing (unauthenticated) webpages.
3. Put in place BAAs with tracking vendors, as needed.
4. Review and analyze your organization’s use of tracking technologies as part of your routine Security Risk Assessment and implement risk management measures as needed to protect the privacy and security of EPHI transmitted through tracking technologies.
5. Be alert for updates to HHS-OCR guidance and legal developments in this area.