On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Bulletin revising its December 1, 2022 Guidance concerning the HIPAA obligations of covered entities and business associates when using third party online tracking technologies on their web pages and/or mobile apps. OCR’s stated purpose for updating the Guidance is “to increase clarity for regulated entities and the public.”[1] However, while the Bulletin provides some examples of what tracking activities OCR deems to be permitted or prohibited under HIPAA, it is still not entirely clear as to which website tracking practices constitute a disclosure of protected health information (PHI). Additionally, the Bulletin clarifies certain requirements concerning business associate agreements and indicates OCR’s enforcement priorities with respect to tracking technology usage.
WEBSITE TRACKING
In the Bulletin, OCR reiterates its former position that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”[2] In OCR’s view, disclosures of PHI to tracking technology vendors for “marketing” purposes (as defined in the HIPAA regulations), without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. Consequently, OCR warns that regulated entities must ensure that they disclose PHI to tracking technology vendors only as expressly permitted or required by the HIPAA Privacy Rule.
Some regulated entities may disclose information to tracking technology vendors that the individual types or selects when they use regulated entities’ websites or mobile apps (e.g., home or email address, dates of appointments, IP address or geographic location, device IDs, or any unique identifying code). According to OCR, these types of information meet the definition of individually identifiable health information (IIHI), and thus can be considered PHI when transmitted or maintained by a regulated entity.
OCR continues to take the position in the Bulletin that IIHI collected on a regulated entity’s website (or mobile app) “generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”[3] Importantly, however, OCR clarifies in the Bulletin that “the mere fact that an online tracking technology connects some IIHI with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”[4]
The question for regulated entities, then, is how to differentiate when a visit to the webpage or app is or is not related to an individual’s past/present/future health, health care, or payment? OCR’s Bulletin provides examples[5] of when, in its view, certain visits to unauthenticated webpages (i.e., those that do not require users to log in before accessing the page) may or may not involve the disclosure of PHI if online tracking technologies are being used, but they are far from pellucid:
-
Where a user merely visits a hospital’s webpage to view its job postings or visiting hours, the collection and transmission of information to a vendor showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, is not a disclosure of an individual’s PHI, because the vendor did not have access to information about an individual’s past, present, or future health, health care, or payment for health care.
-
If a student were merely writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital is not a disclosure of PHI, even if the information could be used to identify the student, because the visit was not related to the student’s health, health care, or payment for same.
-
However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage, in OCR’s view, is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.
These scenarios, while illustrative, fail to consider how the regulated entity is to determine the purpose of the visit to its public-facing webpage; for example, whether a visit to its webpage is by an individual merely performing research unrelated to their own health, e.g., an adult child seeking treatment options for their aging or infirm parent, or whether the search is actually for themselves. Under OCR’s Bulletin, the former would not appear to constitute a disclosure of the user’s PHI, but the latter may. Regulated entities may therefore face difficulties defining which information associated with user webpage visits that is both identifiable and related to health/health care/payment constitutes a disclosure of that user’s PHI subject to HIPAA.
MOBILE APPS
Mobile app usage also continues to face scrutiny, although theoretically a regulated entity may be able to more easily secure adequate HIPAA-compliant authorization before the user is permitted to use an app, as opposed to a user simply browsing a public-facing website. In OCR’s example from the Bulletin, a patient might use a health clinic’s diabetes management mobile app to track related health information. Similarly to its position on webpage tracking discussed above, OCR takes the view that the transmission of that information to a tracking technology vendor as a result of using the app would be a disclosure of PHI because the individual’s app use is related to his health condition (diabetes) and that, together with any individually identifying information (e.g., name, mobile number, IP address, device ID), meets the definition of IIHI.[6]
BUSINESS ASSOCIATE AGREEMENTS
OCR re-emphasized that regulated entities should establish a business associate agreement (BAA) with a tracking technology vendor that meets the definition of a “business associate.” If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform[7] vendor that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI, and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity. Significantly, OCR takes the position that “[i]f a regulated entity does not want to create a business associate relationship with a vendor that meets the definition of business associate, it cannot disclose PHI to such a vendor without individuals’ authorizations.”[8]
ENFORCEMENT
Lastly, in the Bulletin OCR enunciates its Enforcement Priorities:
Compliance with the Security Rule helps lower the risk of unauthorized access to ePHI collected through a regulated entity’s website or mobile app that could lead to harm to individuals. Therefore, OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI. OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.[9]
While regulated entities continue to grapple with these nebulous issues of using online tracking technologies, it is clear that OCR intends to continue investigating and enforcing in this arena with renewed vigor.
OCR’s enforcement may be affected by the litigation that has been filed by the American Hospital Association, challenging the OCR Bulletin on the grounds that the Bulleting would interfere with common third-party technologies used by regulated entities to enhance their websites, such as analytics tools, video technologies, translation technologies, and map/location technologies. See American Hospital Association, et al. v. Rainer et al., Case 4:23-cv-01110-P.
[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
[2] Id.
[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (citation omitted).
[4] Id.
[5] Id.
[6] Id.
[7] OCR defines a Customer Data Platform (CDP) as software that can combine data from multiple sources regarding customer interactions with a company's online presence to support a company's analytic and customer experience analysis.
[8] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
[9] Id.
