The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently released a revised version of its guidance titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” The original version of the guidance was released on December 1, 2022, and laid out the obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for covered entities and business associates (“regulated entities”) when using online tracking tools, such as Google Analytics or Meta Pixel. Regulated entities use tracking technologies to analyze how users interact with their websites and mobile apps.

Original Guidance

The original version of the guidance addressed impermissible disclosures of protected health information (“PHI”) by regulated entities to online technology tracking vendors. Under HIPAA, PHI is individually identifiable information that relates to an individual’s past, present, or future health, healthcare, or payment for healthcare. The December 2022 guidance stated that individually identifiable information includes IP addresses, social security numbers, and mobile numbers, among other information identified in the HIPAA Privacy Rule’s de-identification standard.

In response to the original version of the guidance, many regulated entities changed how they use tracking technologies. However, many regulated entities also had concerns over the guidance. For example, the American Hospital Association (“AHA”) brought suit challenging the guidance, claiming that the guidance exceeded OCR’s regulatory authority.

Updated Guidance

OCR released the updated version of the guidance on March 18, 2024. The stated purpose of the new guidance is to “increase clarity for regulated entities and the public.” The updated guidance is largely similar to the December 2022 version, but with some notable changes, including:

1. OCR acknowledges that “the mere fact that a tracking technology connects the IP address of a user’s device with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute identifiable health information if the visit to the webpage is not related to an individuals’ past, present, or future health, health care, or payment for health care.”
2. An unauthenticated webpage is a webpage that does not require users to login before accessing the webpage. OCR clarified that, generally, unauthenticated webpages do not have access to PHI because they generally do not have access to information that relates to any individual’s past, present, or future health, healthcare, or payment for healthcare. However, OCR reiterated its position that, in some cases, they do. OCR gives the following examples to illustrate its position on when a visit to an unauthenticated webpage may involve the disclosure of PHI:

“For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.

However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care. . . .

iTracking technologies might collect an individual’s email address, or reason for seeking health care typed or selected by an individual, when the individual visits a regulated entity’s webpage and makes an appointment with a health care provider or enters symptoms in an online tool to obtain a health analysis.”

3. OCR added an example of disclosure of PHI on a mobile application. If a patient uses a health clinic’s diabetes management mobile app to track health information such as glucose levels and insulin doses, the transmission of information to tracking technology vendors as a result of using the app would be a disclosure of PHI.
4. Establishing a Business Associate Agreement (“BAA”) with a tracking technology vendor that meets the definition of a business associate is required to achieve HIPAA compliance when using tracking technologies. The new guidance says that if a chosen tracking technology vendor will not engage in a BAA that safeguards PHI, then the business associate can choose to enter into a BAA with another vendor, for example, a customer data platform vendor. That vendor will de-identify online tracking information that includes PHI, and then disclose only de-identified information to tracking technology vendors that refuse to enter into a BAA. A regulated entity can also instead obtain individual authorization from individuals whose information will be disclosed to a tracking vendor that meets the definition of a business associate. OCR has maintained its position that website banners asking users to accept or reject use of tracking technologies is not a HIPAA compliant authorization.
5. OCR announced that it will prioritize compliance with the HIPAA Security Rule in investigations into online tracking technologies.

Key Takeaways

OCR’s guidance related to tracking technologies remains controversial. One of the most noteworthy changes in the guidance is the addition of the examples concerning visits to unauthenticated websites. OCR’s position on whether information collected on a regulated entity’s website is PHI hinges on the intent of the user. Parsing the intent of a user’s visit would seem to be a functional impossibility, and OCR provides no guidance on how to determine intent. Accordingly, OCR appears to be attempting to mandate that regulated entities must either have a BAA with any tracking technology vendor recipient of such information or have every website visitor sign an authorization if there is disclosure to a tracking technology vendor. Both avenues appear untenable and may — at present — function as a stumbling block to historical uses of such technologies.

Despite the position OCR has taken in its tracker guidance, regulated entities should not lose hope. The guidance was not issued through notice and comment rulemaking and is subject to challenge through AHA’s pending litigation. Similar instances of “reach” guidance from OCR and legal challenges in the past have resulted in revision or rescission from OCR. Although it is too soon to predict the outcome, regulated entities may receive relief from this guidance in the future.

Nonetheless, OCR has reiterated its stance that compliance with the HIPAA Security Rule for tracking technologies is an enforcement priority. Thus, unless and until there is a further change to the guidance, regulated entities would be well advised to conduct a thorough review of their use of such tracking technologies and obtain a clear understanding of the uses and disclosure being made of any tracked information to ensure compliance with HIPAA.