OCR Updates Its Website Tracking Tool Guidance
Highlights
- The U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), has issued an update to its prior guidance on the uses of tracking technologies by healthcare companies.
- Clarification by OCR that the purpose for a person's website visit determines whether information is protected health information provides cold comfort to healthcare companies that have no process for divining the website visitor's intent.
- OCR has doubled down on enforcement by prioritizing compliance with the HIPAA Security Rule in its tracking technology investigations.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued updated guidance on March 18, 2024, regarding the use of online tracking technologies by entities and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA). Perhaps in response to litigation brought by the American Hospital Association (and supported by 17 state hospital associations and 30 hospital systems) challenging its prior guidance issued on Dec. 1, 2022, OCR has clarified its views somewhat regarding the use of these tools, but the new document may provide cold comfort to HIPAA-regulated entities. An analysis of the prior guidance is available in Holland & Knight's previous alert, "HHS Offers HIPAA Guidance on Online Tracking Technologies," Dec. 2, 2022.
The final HIPAA Privacy Rule was issued more than 23 years ago. Since that time, the Privacy Rule has considered an internet protocol (IP) address number to be a patient identifier. The 2022 guidance made it clear that OCR considers the IP address or any "unique identifying code" and other information to be protected health information (PHI). One of the criticisms of the 2022 guidance was OCR's apparent assumption that anyone visiting a covered healthcare provider's website was, is or will be a patient of the provider. At that time, OCR concluded that all individually identifiable health information "collected on a regulated entity's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity … ." That language remains in the revised guidance.
Though OCR acknowledges in the revised guidance that "the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a website addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual's past, present, or future health, health care, or payment for health care," the new guidance is silent regarding how a regulated entity could determine the purpose of a person's visit to a web page.
The revised guidance gives examples of situations where website visits might not disclose PHI. For example, a visit to a hospital's webpage that provides information about the hospital's job postings or visiting hours would not involve a disclosure of PHI. Transmitting the IP address of a student visiting a web page on oncology in order to write a term paper would not involve a disclosure of PHI. On the other hand, transmitting the IP address of an individual visiting an oncology-related webpage in connection with seeking a second opinion would involve a disclosure of PHI. According to the guidance, whether a disclosure of an IP address violates HIPAA apparently depends on the intent of the website visitor. It seems unlikely that a regulated entity would have a reliable way to assess the intent of each visitor to each web page.
The new guidance discusses how regulated entities could address situations where website tracking tool vendors are unwilling to sign HIPAA business associate agreements (BAA) with the regulated entity. One option is for the regulated entity to enter into a BAA with a "Customer Data Platform vendor" that could de-identify the online tracking information constituting PHI and then provide the de-identified data to the tracking technology vendor. The other option is for the regulated entity to obtain written authorization from all individuals whose information is to be disclosed to a tracking vendor that would otherwise meet the definition of a business associate. As continued from the prior guidance, website banners seeking acceptance or rejection of tracking technology use are not a sufficient form of authorization.
Rather than soften its stance in response to pending litigation and industry concerns, OCR appears to be doubling down on its earlier position. In fact, the March 18, 2024, document states that "OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies."
Healthcare companies should continue to assess uses of tracking technology, incorporate assessments into security risk analysis and management, and take other reasonable steps in consideration of the March 18, 2024, updated guidance from OCR.
For additional information, please contact the authors or a member of Holland & Knight's Data Strategy, Security & Privacy Team.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.