Guidance Updates for HIPAA-Governed Entities Using Online Tracking Technologies

by

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published upgraded guidance for organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) regarding online tracking technologies. The current guidance is meant to give increased understanding for HIPAA-governed entities on using these technologies. OCR has revised its position on the applicability of HIPAA to these technologies, mainly concerning IP addresses, which OCR has stated are not deemed as PHI at all times.

OCR initially released the guidance in December 2022 after finding out that the majority of U.S. hospitals had used these technologies on their web pages, which send user details to third parties including Google, Meta (Facebook), and others. Different user data is obtained and sent regarding users’ interactions on sites and applications, and that data can contain protected health information (PHI).

The first guidance discussed that HIPAA-governed entities are not allowed to use these technologies unless a business associate agreement (BAA) is signed with the provider of the technologies and the disclosures of PHI are authorized by the HIPAA Privacy Rule. Alternatively, permission must be obtained from the users before the details are sent to third parties. OCR has earlier explained that prioritizing enforcement on non-compliant utilization of online tracking technologies. In July 2023, the Federal Trade Commission (FTC) and OCR sent warning letters to about 130 medical providers and telehealth companies concerning the risks of utilizing these technologies and the likelihood of impermissible PHI disclosures.

OCR Faces Lawsuit Because of the Tracking Technology Guidance

Considering that the companies offering these technologies generally do not sign BAAs with HIPAA-covered entities and getting authorization from individuals is pricey and complicated, these technologies are normally not used by HIPAA-governed entities without possible violation of the HIPAA Regulations. The American Hospital Association (AHA) told OCR to reassess its guidance. When OCR did not do so, AHA took legal action challenging the legitimacy of the guidance. The AHA claims that these technologies are important to the performance of websites and that banning their use eventually negatively impacts healthcare companies and patients. Additionally, though HIPAA-covered entities were not allowed to use these technologies, the code continued on numerous government web pages, such as Tricare.mil, Health.mil, Medicare.gov and diverse Veterans Health Administration sites.

Online Tracking Technology Guidance Explains OCR’s Position

OCR’s current guidance offers a summary of how the HIPAA Law applies to the tracking technologies and includes cases of when the code may and may not be applied, ideas for adhering to HIPAA, and the enforcement priorities of OCR regarding online tracking technologies. In the modified guidance, OCR stated that governed entities are not authorized to utilize tracking technologies in a way that would cause impermissible disclosures of PHI to tracking technology providers or any other HIPAA Regulations violations. Protected health information is information that deals with the past, present, or future wellness, medical care, or payment for medical care, that has identifiers that associate that data to an individual or let that individual be found.

When any of that information is gathered on a website, the technologies can’t be used without having a business associate agreement with the company offering the code and the disclosures should be allowed by the HIPAA Privacy Law, or permission ought to be secured from individuals. Authorization cannot be acquired by including data regarding these disclosures in the Notice of Privacy Practices, using a pop-up on the web pages or banner mentioning that using the website may entail the disclosure of health details to a third party, or by requesting a consumer to reject or accept cookies. A legal HIPAA consent is necessary.

OCR recommends that when a vendor won’t sign a BAA that covers the usage of the code, then look for a different vendor that will enter into a BAA. Otherwise, a customer data platform vendor may be utilized, which de-identifies the PHI before sending the data to a third party. It’s not authorized to send PHI to a vendor without having a BAA whether or not the vendor states that they will remove any identifying information following the disclosure. The set of PHI is more probable on user-authenticated pages for instance patient portals; nonetheless, there is the possibility for PHI to be exposed on unauthenticated websites. For example, on an appointment scheduling page that gathers no health data, when the user signs their email address and that fact is fed to a third party, that is classified as an impermissible PHI disclosure.

For a few web pages, the nature of the visit tells whether HIPAA can be applied. Specially, the guidance details how IP addresses apply. IP addresses allow the recognition of a person and so, as per the preliminary guidance, will be considered as PHI no matter the nature of the web page visit. OCR has explained that the nature of the visit is significant, which was surely caused by the AHA legal action. OCR mentioned IP addresses are just PHI in specific instances.

For example, in case a student is seeking facts on oncology services when looking into the accessibility of those services before- and after-pandemic, the selection and transmission of their IP address and other personally identifiable information (PII) to a third party without a BAA does not violate HIPAA, as HIPAA is not applicable since no PHI is included. In case a patient is browsing the same webpages to acquire a second viewpoint concerning their diagnosis or cancer cure, the transmission of this information will be a HIPAA violation with no BAA, since that data is categorized as PHI. This is not a serious switch of position for OCR, it is an answer to what OCR planned when the guidance was published. OCR appears to be making clear that the guidance doesn’t overstretch the description of PHI as the AHA lawsuit says, and is questioned in other legal cases, it means that there are probabilities for online tracking technologies to obtain PHI and HIPAA-covered entities should thus ensure that they use safety measures to stop impermissible disclosures.

OCR mentioned its enforcement priorities regarding online tracking technologies and stated it is prioritizing HIPAA Security Law compliance while investigating the usage of online tracking technologies. OCR’s primary concern is to ensure that governed entities have determined, evaluated, and mitigated the threats to ePHI when employing online tracking technologies and have carried out the Security Rule requirements to safeguard the integrity, availability, and confidentiality of ePHI.

Finding out the nature of the visit regardless of whether the activities on a website involve or do not involve PHI is almost impossible, thus, hospitals need to avoid using these technologies, and the concerns brought up by AHA are to be resolved with lawsuits.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone