On March 18, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released updated guidance to “increase clarity” for entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regarding their use of website tracking technologies.
Background
OCR’s initial bulletin on this topic, released in December 2022 (2022 Bulletin), caused confusion in the industry among regulated entities that have long relied on the use of tracking technologies within mobile applications and on their websites, in part, to collect user data and disclose such information to vendors to assist in analyzing user activity and website use. In the 2022 Bulletin, OCR asserted that identifying information, such as an individual’s email or IP address collected from a visit to a provider’s or health plan’s webpage, could constitute protected health information (PHI) even if the individual does not have an existing relationship with the provider or health plan, as such information is indicative that the individual will receive healthcare services or benefits from the regulated entity. Accordingly, any such use or disclosure of this information would be subject to HIPAA. A covered entity seeking to collect and use this information would be required to ensure such uses and disclosures of PHI are permissible under HIPAA, including having a compliant business associate agreement (BAA) in place with any third-party vendor that creates, receives, maintains or transmits the PHI.
Several months following the 2022 Bulletin, OCR and the Federal Trade Commission (FTC) jointly sent identical letters to nearly 130 providers issuing a warning regarding the “serious privacy and security risks related to the use of online tracking technologies that may be present” on the providers’ webpages or mobile apps. (OCR posted a link to the form letter on its website, available here; OCR also made publicly available copies of the letters sent to providers, available here.) In the letters the agencies also pronounced their focus on this issue as the use of tracking technologies may, they state, constitute a breach of individually identifiable information.
Pending Challenge
In response to OCR’s issuance of sub-regulatory guidance in the 2022 Bulletin, as well the signal of potential enforcement in the warning letters sent to providers, in November 2023 the American Hospital Association and Texas Hospital Association, along with others, sued HHS and OCR in the U.S. District Court for the Northern District of Texas for injunctive and declaratory relief. (Complaint at 8, American Hospital Association et al v. Becerra et al, No. 4:23-cv-01110-P (D. N. Tex. Nov. 2, 2023).) Plaintiffs argue the 2022 Bulletin exceeded OCR’s authority and that issuance of the rule violated the Administrative Procedure Act (APA). In January 2024, 17 state hospital associations filed a brief of amici curiae in support of plaintiffs. Warning that the impact of the 2022 Bulletin has made it “difficult or impossible” for hospitals to use website technologies that involve collecting IP addresses, amici argue “hospitals must be empowered to use the best tools available to ensure that their websites are providing the right information to the right people, in a way that they can trust and rely on,” thereby increasing access to care.
March 2024 Updated Guidance
OCR’s updated guidance provides examples of when an individual’s visit to an unauthenticated webpage would involve the collection of PHI because the visit to the webpage is related to the individual’s past, present, or future health, healthcare, or payment for healthcare. Collecting identifying information, such as an IP address or mobile telephone number, from a consumer seeking information from a hospital’s webpage about job postings or visiting hours, for example, would not involve creating or transmitting PHI. In contrast, OCR explains that an individual searching a hospital’s website to seek a second opinion on treatment options for a confirmed diagnosis would involve PHI, and allowing a tracking technology vendor to collect such individual’s identifying information would constitute a disclosure of PHI subject to HIPAA.
The updated guidance provides no suggestions or safe harbors for how a covered entity can discern the purpose of a website visitor’s browsing on a website.
As covered entities are typically unable to determine the intent of each consumer’s webpage use and information search, the practical take-away from OCR’s examples is that healthcare providers and health plans seeking to utilize third-party vendors to collect, transmit, and manipulate user information from their webpages should implement a BAA if the vendor will have access to identifying information, such as geographic location, IP address, email or mobile number, as well as confirm that the permitted uses and disclosures of any such information by the vendor complies with HIPAA.
Further, despite the pending legal challenges to OCR’s guidance, OCR indicates in the updated guidance that an increase in investigations into the use of tracking tools is likely. Specifically, OCR states it will prioritize compliance with the HIPAA Security Rule among regulated entities, such as by investigating whether a covered entity or business associate has conducted required processes to identify and mitigate risks to electronic PHI in the use of tracking technologies.
Takeaways for Regulated Entities
Despite OCR’s update to the 2022 Bulletin, questions among regulated entities about their use of tracking technologies for data analysis purposes remain. In response to this updated guidance, a regulated entity should evaluate its current use of tracking technologies on websites and within mobile apps; the types of information these vendors create or receive; and whether such information could relate to the past, present or future health, healthcare, or payment for healthcare of individual users. Possible courses of action include obtaining assurances that such vendors do not collect or receive any individual identifiers of webpage users, executing a BAA with the tracking technology vendor, de-identifying the PHI before disclosure to the tracking technology vendor, or obtaining individuals’ authorization to create and disclose PHI to the tracking technology vendor. Another option would be to cease the use of tracking technology tools altogether, although this would leave the regulated entity without the insights tracking technologies provide.
Our team is monitoring this evolving issue.
