OCR recently updated guidance directed at HIPAA-regulated entities that use online tracking technologies, reminding those entities that use of such technology must comply with their obligations under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), providing clarification about enforcement priorities, adding examples of uses of these technologies, and narrowing some of the previously broad language about what constitutes PHI. Nonetheless, the updated guidance comes to the same conclusion as the initial guidance: Regulated entities may not deploy tracking technologies on their websites in a way that would result in impermissible disclosures of PHI to third-party vendors of such technologies or any other violations of the HIPAA Rules.

While the updated guidance does not address the core concerns related to the earlier guidance, some of the clarifications will be useful. 

• As OCR said before, not all data collected through a tracker on a regulated entity’s website constitutes PHI. OCR reiterates that compliance with the HIPAA Rules is triggered when regulated entities disclose PHI to tracking technology vendors. That said, the updated guidance emphasizes that simply collecting information from a regulated entity’s webpage is not sufficient to create the conditions necessary to transform the information into PHI and trigger application of the HIPAA Rules, particularly if the visit to the webpage is not connected to an individual’s past, present, or future health, health care, or payment for health care. OCR offers new examples of when website data will be PHI while again leaving the line between what constitutes PHI and non-PHI subject to a facts and circumstances analysis. The examples are described in more detail below.

• Unauthenticated webpages may – or may not – collect PHI. OCR notes that regulated entities may use unauthenticated webpages to communicate information that generally does not constitute PHI. OCR provides several new examples for when, in its view, visits to unauthenticated webpages may or may not involve the disclosure of electronic PHI.

  • Scenario 1: Visit to webpages do not result in the disclosure of PHI to a tracking technology vendor, if the online tracking technology does not have access to information that relates to an individual’s past, present, or future health, health care, or payment for health care.

    • Example: User visits a hospital’s unauthenticated webpage to view visiting hours, and while doing so, information such as the user’s IP address and other identifying information is captured and disclosed to a tracking technology vendor. Even if the information can be used to identify the user who visited the page, it does not reveal information about an individual’s past, present, or future health, health care, or payment for health care.

  • Scenario 2: Website visits do not result in a disclosure of PHI to a tracking technology vendor on pages that do not have access to information related to an individual’s past, present, or future health, health care, or payment for health care. This scenario seems to depend on the purpose of why a visitor viewed or submitted a search query on a website. 

    • Example of when this would not involve PHI: An individual searches for the availability of services on a hospital’s webpage for academic or research purposes, and while doing so, information is collected and disclosed on that user. The user’s visit to unauthenticated webpage does not involve the disclosure of PHI.

    • Example of when this may involve PHI: In contrast, if an individual looks up the same services to seek a second opinion on treatment options for their medical condition, and while doing so, information is collected and disclosed on that user. The user’s visit to unauthenticated webpage does involve the disclosure of PHI. However, the guidance does not provide additional detail or direction on how regulated entities may be able to identify the purpose of a user’s visit or how the agency expects this to be operationalized.

  • Scenario 3: Tracking technology on a regulated entity’s webpage that permits scheduling appointments or uses symptom-checker tools without the need for user-authentication may have access to PHI in certain circumstances.

    • Example: Tracking technologies collect an individual’s email address, or reason for seeking health care typed or selected by an individual, when the user visits the webpage and makes an appointment with a health care provider or enters symptoms in an online tool to obtain a health analysis. OCR’s position is that the regulated entity is disclosing PHI to the tracking technology vendor.

• Mobile apps continue to present tracking concerns. OCR previously noted that mobile apps offered by regulated entities to help manage health information or pay bills generally involve collection of PHI. The updated guidance revised prior examples, providing additional explanation about why the collection of certain information about app usage by a tracking technology vendor would be a disclosure of PHI.

• Regulated entities need to comply with the Security Rule. OCR notes that it is prioritizing compliance with the HIPAA Security Rule in its investigations regarding the use of online tracking technologies as compliance with the Security Rule helps lower the risk of unauthorized access to ePHI that could harm individuals. This includes entering into BAAs where appropriate and notification if PHI is improperly disclosed to a tracking technology vendor. It is evaluating whether regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have appropriately implemented the Security Rule requirements.

Next Steps

While not a game changer for the many HIPAA-regulated entities grappling with tracking technologies, the updated guidance highlights OCR’s continued interest in online tracking technologies with a view toward enforcement.  In light of the clarifications provided, HIPAA-regulated entities may consider confirming that they:

• Understand where and how online tracking technologies are deployed on their HIPAA-covered websites and mobile applications;
• Appropriately implement such technologies, including adjusting settings and entering into BAAs where necessary;
• Incorporate and account for use of these technologies in their risk assessments;
• Analyze potential notification obligations in connection with the unauthorized disclosure of PHI to tracking technology vendors; and
• Implement a governance program to confirm ongoing compliance with applicable requirements.

Entities that already have engaged in these activities may consider refreshing their prior analysis to determine whether modifications to their practices are appropriate in light of the updated guidance.