OCR Updates Online Tracking Technology Guidance for HIPAA Regulated Entities: “Clarified,” But Not Clear

Alert
March 26, 2024
6 minutes

Fifteen months after issuing its expansive Original Guidance1 on the use of online tracking technologies by entities subject to HIPAA, on March 18 the United States Department of Health and Human Services Office for Civil Rights (“OCR”) released Updated Guidance2 intended to clarify its position on the issue. This update comes as OCR seeks to defend itself from objections and a lawsuit filed by the American Hospital Association alleging that (i) the Original Guidance impairs the ability of providers to make available truthful health information to the public,3 and (ii) the Original Guidance was arbitrary and capricious and should have been issued through formal notice-and-comment rulemaking.4

The Original Guidance addressed the use of online tracking technologies by HIPAA-regulated entities5 in three modalities: (1) user-authenticated webpages that require a user login (for example, a patient portal); (2) unauthenticated webpages that do not require a user login (for example, a health system home page); and (3) mobile applications (“apps”).

The Updated Guidance attempts to further explain and support OCR’s position with respect to protected health information (“PHI”) collected by a regulated entity’s unauthenticated webpages, as well as potentially expanding the guidance with respect to mobile apps.6

Whether Unauthenticated Webpages Collect PHI May Turn on the User’s Intent. In the Original Guidance, OCR noted that while unauthenticated webpages “generally do not have access to individuals’ PHI,” a webpage that “addresses specific symptoms or health conditions” or “permits individuals to search for doctors or schedule appointments without entering credentials,” “may have access to PHI in certain circumstances.”7 Specifically, online tracking technology that “collect[s] an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider,” results in a “disclos[ure of] PHI to the tracking technology vendor.”8 As highlighted in the lawsuit by the American Hospital Association, the Original Guidance seemingly concludes that the combination of an individual’s IP address and a visit to an unauthenticated public webpage that addresses specific health conditions or identifies specific providers is sufficient to constitute PHI.9

The Updated Guidance attempts to clarify OCR’s position by stating that if the visit to an unauthenticated webpage is not related to an individual’s past, present, or future health, health care, or payment for health care,10 “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information].”11

OCR then provides two examples intended to clarify this distinction. The first example notes that the transmission of identifying information about a student who visits a hospital’s webpage on oncology services to research the COVID-19 public health emergency’s effect on such services would not constitute a disclosure of PHI, because the information does not relate to the individual’s (i.e., the student’s) past, present, or future health or health care. OCR then distinguishes this from a second example, in which the transmission of identifying information about a user looking at the same webpage to seek a second opinion on treatment options for a brain tumor would constitute PHI, because such information relates to the individual’s past, present, or future health or health care.12 While such examples provide insight into OCR’s view of how the use of online tracking technologies could theoretically apply to differently motivated users of unauthenticated webpages, both examples appear to turn on the intent of the individual using an unauthenticated website, which a regulated entity would generally have no means of deciphering. For regulated entities that have asserted that they require the use of online tracking technologies to provide public access to helpful information about health care services, OCR’s clarification fails, as a practical matter, to provide a clear pathway for such entities to comply with the guidance and continue providing the same benefit to the general public.

Disease-Specific Mobile Apps Offered by Regulated Entities Are Presumed to Collect PHI. OCR’s Updated Guidance also appears to broaden the Original Guidance with respect to the use of mobile apps. The Updated Guidance states that, for disease-specific mobile apps, the mere fact that an individual uses the app, when transmitted along with any identifying information about the individual (including IP address13 or device ID), is sufficient to constitute a disclosure of PHI, as use of a disease-specific app implies the user has a given health condition.14 This means that providers of disease-specific mobile apps must ensure that any use of online tracking technologies complies with HIPAA requirements, to the extent such technologies access or collect any identifying information about the app user.

What Now?

OCR’s release of the Updated Guidance – along with its clear statement that online tracking technology use will remain an investigative priority – reaffirms that HIPAA-covered entities and business associates must continue to evaluate and assess their use of online tracking technologies on website and mobile app platforms.

Carefully Evaluate Vendor Options. When the Original Guidance was released, many regulated entities faced difficult decisions regarding whether to retain technologies that improved the performance of their platforms but failed to comply with OCR’s requirements. Since the Original Guidance, we have seen the emergence of vendors willing to provide certain online tracking technologies in a manner that complies with HIPAA. The Updated Guidance takes note of this trend, explicitly stating that a “regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform vendor, that will enter into a BAA with the regulated entity,” and “de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to online tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.”15 OCR’s recognition of such vendors may suggest that it will be increasingly unwilling to consider arguments that it is infeasible for covered entities to comply with the Updated Guidance while maintaining platform performance. OCR may instead take the view that covered entities should contract with vendors that will sign BAAs, even if the services provided by such vendors cost far more than those provided by vendors that do not sign BAAs.

At the same time, regulated entities exploring vendor options will need to evaluate whether the disclosure of PHI to such vendors is for a permissible purpose under the HIPAA Privacy Rule. For example, the Updated Guidance reminds regulated entities that the use of, and transmission of PHI to, a vendor must comply with the HIPAA Privacy Rule, e.g., the vendor must be performing a covered function (e.g., health care operations) on behalf of the regulated entity.16 A regulated entity disclosing PHI to a vendor for marketing purposes without an individual’s HIPAA authorization would constitute an impermissible disclosure, regardless of whether the regulated entity has a BAA in place with such vendor.17 Further, while vendors that will sign BAAs tend to market their services as HIPAA-compliant, vendors may offer different configurations of their services, only some of which would comply with the Updated Guidance. Accordingly, regulated entities wishing to use online tracking technologies provided by such vendors on their platforms should evaluate, with the assistance of counsel and potentially a forensic consultant, whether they can leverage such technologies to meet their needs and budget in a manner that complies with HIPAA.

Monitor Ongoing Litigation against OCR. As noted above, the American Hospital Association’s lawsuit challenging OCR’s Original Guidance is still pending. This case should be closely monitored, as a decision in the plaintiff’s favor has the potential to reign in the scope of OCR’s guidance for regulated entities using online tracking technologies on unauthenticated pages.

  1. OCR, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” (Dec. 1, 2022) (“Original Guidance”).
  2. OCR, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” (updated Mar. 18, 2024), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (“Updated Guidance”).
  3. American Hospital Association Letter to OCR on HIPAA Privacy Rule, Online Tracking Guidance (May 22, 2023), https://www.aha.org/lettercomment/2023-05-22-aha-letter-ocr-hipaa-privacy-rule-online-tracking-guidance (“AHA Letter”).
  4. See American Hospital Ass’n v. Rainer, Case No. 4:23-cv-01110-P, Compl. ¶ 1 (N.D. Tex. Nov. 2, 2023) (“AHA Lawsuit”).
  5. OCR refers to HIPAA-covered entities and their business associates as “regulated entities.” See Original Guidance; Updated Guidance.
  6. See Rope & Gray Client Alert, Use of Tracking Technology – Walking the Regulatory Line? (Dec. 15, 2022), https://www.ropesgray.com/en/insights/alerts/2022/12/use-of-tracking-technology-walking-the-regulatory-line.
  7. See Original Guidance.
  8. See id.
  9. See, e.g., AHA Lawsuit.
  10. Updated Guidance.
  11. Updated Guidance.
  12. See Updated Guidance.
  13. Recognizing that OCR labeled the IP address as a “direct identifier” under HIPAA when promulgating the HIPAA Privacy Rule over 20 years ago when the internet was far less developed than it is today, stakeholders have increasingly expressed skepticism regarding whether an IP address should, in fact, carry such designation. In the AHA Letter, the American Hospital Association and other stakeholders took issue with the OCR Guidance’s treatment of “a mere IP address as a unique identifier under HIPAA,” noting:

    [A]n IP address is simply a long string of numbers assigned to every device connected to a network that uses the Internet. Critically, the IP address identifies the computer, smart phone, tablet or other device, whether it is in someone’s home, office, a public library, apartment building or somewhere else. As such, that device could be associated with a particular person or it could be shared by many different people.

    The use of the IP address as a direct identifier may be particularly problematic in the context of a mobile device, as a mobile device accessing the internet through Wi-Fi is assigned the IP address of the wireless network to which the device is connected, which may include public Wi-Fi networks that could not reasonably be used to identify an individual (e.g., an IP address associated with a Wi-Fi network in a coffee shop).

  14. See Updated Guidance.
  15. Updated Guidance.
  16. Updated Guidance.
  17. Updated Guidance.