On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA. We discussed the original guidance in our previous post on this issue. The original guidance is no longer available on the HHS website. Nor does OCR highlight the deletions and other changes from the original version, or the reasons for its revisions.

In its updated guidance, OCR appears to have retreated, in some respects, from its original guidance including by recognizing that there are instances where the “mere fact” that certain electronic information (such as IP address) is collected coupled with a visit to a webpage listing specific health conditions or health providers are an insufficient combination of electronic information to identify the individual and the individual’s health condition or care required to fall within the definition of PHI. OCR has now also opined that the information collected may not be PHI depending on the individual user’s reason for visiting a Regulated Entity’s unauthenticated pages on a website or mobile app. The updated guidance, however, continues to adhere to certain principles set forth in the previous version, but with the added assumption that Regulated Entities’ may permissibly collect and disclose electronic information depending on each individual’s reason for visiting unauthenticated sections of particular websites or mobile apps.

The updated guidance does not address how an individual’s reason for visiting its website (in order for the Regulated Entity to determine whether information collected in the use of online tracking technologies constitutes PHI or not) can be discerned at the point of collection through these automated electronic processes. Nor does the guidance expressly state that consideration of the reason for the individual’s visit may be considered by OCR in its enforcement efforts.

Overview of the Revised OCR Changes

Tracking Technologies on Unauthenticated Webpages

In the updated guidance, OCR offers a clarifying statement with respect to IP addresses, noting that, “the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a website addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual's past, present, or future health, health care, or payment for health care.” (emphasis added).

The updated guidance generally focuses on the use of online tracking technologies on unauthenticated webpages (i.e., portions of websites which do not require users to log in before they are able to access the webpage). The guidance includes examples to illustrate when certain visits to an unauthenticated webpage may or may not involve the disclosure of PHI:

• In the first instance, OCR explains that if the online third-party tracking technologies on the unauthenticated webpages do not have access to information relating to an individual’s past, present, or future health, health care, or payment for health care, then a user’s visit to the webpage does not result in a disclosure of PHI to a third-party tracking technology vendor. For example, OCR purports that if a user “merely” visits a hospital’s webpage to access the hospital’s job postings or visiting hours, the collection and transmission of information reflecting the user’s visit to the webpage – including the user’s IP address, geographic location, or other identifying information – would not involve an impermissible disclosure of an individual’s PHI to the online tracking technology vendor. HIPAA Rules would therefore not apply because the online tracking technologies lacked access to the individual’s past, present, or future health, health care, or payment for health care.
• Similarly, OCR posits that if a user’s visit to an unauthenticated webpage is “not related to” the individual’s past, present, or future health, health care, or payment for health care, then that user’s visit to the unauthenticated webpage does not result in a disclosure of PHI to an online tracking technology vendor. In particular, the updated guidance raises a scenario where the collection and transmission of information relates to a student writing an oncology term paper who visits a hospital’s oncology services listing webpage. OCR opined that under such a scenario, the information collected and disclosed would not constitute PHI, even if the information could identify the student.
• By contrast, OCR presents another scenario where an individual looks at the same hospital oncology webpage for a services listing for the purpose of seeking personal treatment options. In that scenario, OCR opines that the individual’s identifying information showing the visit to that webpage would be considered PHI “if the information is both identifiable and related to the individual’s health or future health care.”
• Furthermore, OCR clarifies that if an individual visits a Regulated Entity’s webpage and makes an appointment with a health care provider then third-party online tracking technologies that collect the “individual’s email address” and “reason for seeking health care typed or selected” would constitute a disclosure of PHI. Similarly, OCR posits that if an individual enters symptoms in an online tool to obtain a health analysis related to their own treatment, the collection of such information by a third-party online tracking technology would constitute a disclosure of PHI. However, it is possible that use of an online tool by an individual for health analysis unrelated to such individual’s personal treatment (e.g., if a student conducts research for a term paper) would not constitute a disclosure of PHI.

OCR Enforcement Priorities

Lastly, OCR’s updated guidance highlights the agency’s priorities to investigate Regulated Entities’ use of online tracking technologies to prevent unauthorized access that could “lead to harm to individuals.” OCR explains that it is prioritizing compliance with the HIPAA Security Rule in its investigations. The agency is principally interested in “ensuring that Regulated Entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI.”

Considerations for Regulated Entities

OCR’s updated guidance regarding Regulated Entities’ use of online tracking technologies on webpages and mobile apps potentially introduces a new variable for Regulated Entities to consider in their risk analysis when determining how to handle information that is collected and shared with third-party tracking technology vendors: i.e., the user’s intent for visiting the webpage or using the mobile app. OCR’s newest examples in the updated guidance appear to require Regulated Entities consider the risk related to the intent of individuals when they visit unauthenticated webpages or mobile apps.

However, the updated guidance is silent with respect to how a Regulated Entity could determine at or before the point of collection particular user intent. OCR appears to presume that intent may be discernible, in part, by a Regulated Entity based on the individual’s likely reason given the activity or functionality permitted on the webpage (e.g., it is likely that a user scheduling an appointment using the Regulated Entity’s webpage is for reasons related to the individual’s own healthcare). Yet in other instances, users’ visits to unauthenticated informational webpages may be impossible for the Regulated Entity to discern. Accordingly, absent any further guidance from OCR or enforcement activity focused on this point, Regulated Entities will likely have to wrestle with how to incorporate these new examples into their own risk-based practices to remain compliant with the now updated guidance.

Additionally, OCR’s new statement regarding its enforcement priorities offers Regulated Entities insight to inform compliance efforts. Specifically, Covered Entities and their Business Associates should consider immediately focusing their resources toward ensuring that use of their online tracking technologies on their webpages and mobile apps complies with the HIPAA Security Rule and the revised guidance.