On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA covered entities and business associates (collectively, regulated entities) that have already heeded the 2022 bulletin. For more information about the 2022 bulletin, see our On the Subject and webinar.

IN DEPTH

Background About HIPAA Applicability to Online Tracking Technologies

HIPAA governs regulated entities’ use and disclosure of PHI, which is generally defined as individually identifiable information that relates to the past, present or future physical or mental health or condition of, the provision of health care to, or the past, present or future payment for the provision of health care to an individual. Cookies, pixels and other online tracking technologies might collect and disclose, based on their configurations and placement, information about an individual, including actual or potentially implied health information. In the 2022 bulletin, OCR took the position that data collected by online tracking technologies regarding users on the webpages of regulated entities may constitute PHI if the information includes any individual identifiers on the list enumerated in the HIPAA Privacy Rule’s de-identification standard, such as an IP address.

Since the 2022 bulletin was issued, regulated entities have struggled to understand when the data collected by tracking technologies constitutes PHI. For example, if an individual visits a hospital webpage and explores the available providers within a specialty, perhaps that user is exploring medical care that the user needs (PHI); or, alternatively, perhaps that user is a reporter who is writing a news story and wants to identify an appropriate provider to contact for information (not PHI). This uncertainty is particularly acute with respect to unauthenticated webpages that do not require users to log in before they can access the webpage. The determination of whether data collected by an online tracking technology is PHI is critical because regulated entities are not permitted to disclose PHI to third parties (including to online tracking technology vendors) in a manner that is not permitted by the HIPAA Privacy Rule.

2024 Guidance Changes

The 2022 bulletin garnered significant attention, and criticism, in the industry. For example, the American Hospital Association (AHA) filed a lawsuit in federal court in Texas, arguing that OCR exceeded its authority in restricting the use of common tracking technologies on public-facing webpages. For more information about the AHA lawsuit, see the AHA’s informational website.

The 2024 update appears to be an effort to acknowledge and respond to criticism that the 2022 bulletin was overbroad, especially with respect to whether data collected on unauthenticated webpages is PHI. Notably, OCR acknowledges in the 2024 update that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a website addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”

How to Implement the New Guidance

While OCR’s acknowledgment in the 2024 update is important and a step forward, it leaves open the critical practical question of how a regulated entity could be expected to determine the purpose of a user’s visit to a webpage. OCR’s own examples illustrate the inherent, unresolved tension in its approach. For example, the 2024 update notes that an IP address (which is one of the 18 individual identifiers enumerated in the HIPAA Privacy Rule’s de-identification standard) associated at that time with the device of a user who is seeking information about oncology may merely pertain to a student working on a term paper. Accordingly, OCR states that this would not be PHI. However, OCR notes that if an individual looks at the same information to secure a second medical opinion, the disclosure of an IP address associated at that time with the user’s device would involve PHI. OCR provides no practical guidance as to how a regulated entity could distinguish the motivations of these two visitors to an unauthenticated webpage.

The 2022 bulletin and the 2024 update also note that regulated entities may disclose PHI through tracking technologies to third parties with which they have entered into business associate agreements. For example, a covered entity could engage a business associate to provide analytics services regarding website user behavior. However, OCR notes that many third parties working in this area historically have indicated that they will not enter into business associate agreements. In these cases, OCR recommends that the regulated entity engage a “customer data platform vendor” as a business associate. This vendor would then de-identify the data before sharing it with another third party, including, for example, an analytics services provider. OCR also notes that, if a business associate and/or de-identification approach is not feasible, the regulated entity could obtain HIPAA-compliant authorizations from the individuals for the disclosures. However, obtaining such authorizations may not always be practical for regulated entities. (Note that the 2024 update continues the agency’s prior position that website banners seeking acceptance or non-acceptance of data tracking tools do not constitute a HIPAA authorization.)

Clarity About OCR Enforcement Priorities 

OCR emphasized that it remains focused on enforcement and is “prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.” This is a puzzling statement, given that OCR’s primary focus to date in this area has seemed to arise from the HIPAA Privacy Rule, which governs permissible uses and disclosures of PHI.

We also note that the 2024 update, like the 2022 bulletin, is sub-regulatory guidance and is not the result of a formal notice-and-comment rulemaking process. Therefore, the 2022 bulletin and 2024 update both state OCR’s view of what HIPAA prohibits, allows and requires, but they do not have the force of law.

Even full compliance with HIPAA on this topic does not guarantee compliance with overlapping federal and state laws, such as the wiretapping statutes under which numerous putative class action lawsuits have been filed related to tracking technologies – against HIPAA-regulated entities and others – in recent years.

Next Steps

We recommend that regulated entities consider the following steps – in consultation with privacy compliance, digital marketing and technology teams and legal counsel – to address the 2024 update (if such steps were not already taken in response to the 2022 bulletin):

• Seek advice from knowledgeable in-house or outside legal counsel from the start and take appropriate steps to establish and maintain attorney-client privilege protection over appropriate communications, analyses and other materials
• Ensure the entity has a current and complete understanding of all cookies, pixels and other tracking technologies deployed on each page of its website
• Identify any of the 18 HIPAA Privacy Rule-specified identifiers that may be disclosed to third parties through tracking technologies
• Identify any health-related events or other content that may be disclosed to tracking technology vendors through tracking technologies
• Evaluate whether the information disclosed is PHI, informed by OCR’s interpretation of the HIPAA Privacy Rule set out in the 2024 update
• Explore whether web design features, content or other factors may be helpful in better understanding user motivations
• Identify any terms of service, business associate agreements, privacy policies or other documents governing the information that is disclosed through tracking technologies
• Ensure that all privacy policies and other public- or patient-facing descriptions of the entity’s practices with respect to website/mobile application browsing data fairly and accurately reflect the entity’s actual, current practices
• If any of the information disclosed through a tracking technology is PHI and no business associate agreement is in place with the tracking technology vendor, consider whether to remove the tracking technology and evaluate whether any past practices are a reportable breach under the HIPAA Breach Notification Rule
• Develop a compliance review and approval process for the assessment of proposed new deployments of tracking technologies