United States: OCR Updates Guidance On Use Of Online Tracking Technologies By HIPAA Covered Entities And Business Associates

On March 18, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technologies by covered entities and business associates (regulated entities) under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules).

Background

OCR originally released this guidance in December 2022, which provided that the HIPAA Rules apply to protected health information (PHI) collected through tracking technologies or disclosed to tracking technology vendors, which could include an individual's IP address or geographic location, medical device IDs, or any unique identifying code. Tracking technology is defined as "a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app."

In order to ensure that use of these technologies complies with the HIPAA Rules, OCR notes that regulated entities must: (1) ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the HIPAA Privacy Rule and that only the minimum necessary PHI to achieve the intended purpose is disclosed (unless an exception applies); (2) establish a Business Associate Agreement (BAA) with any tracking technology vendor that qualifies as a "business associate of the regulated entity"; (3) address the use of tracking technologies in their risk analysis and management processes; and (4) provide the required and applicable breach notifications in the event of an impermissible disclosure of PHI to a tracking technology vendor if such disclosure is not permitted or required by the HIPAA Privacy Rule and there is no BAA in place.

Since issuing the guidance in 2022, OCR has prioritized its enforcement of non-compliant use of online tracking technologies by sending warning letters (jointly with the Federal Trade Commission) to approximately 130 hospitals and telehealth providers describing the risks of online tracking technologies.

March 2024 Updates

OCR recently updated its guidance to further clarify how the HIPAA Rules apply to tracking technologies. Key points from the revised guidance are as follows:

• OCR maintains its stance that certain information may be PHI even if (1) an individual does not have an existing relationship with the regulated entity, and (2) the information, such as IP address or geographic location, does not include health information. OCR somewhat narrows this broad interpretation by clarifying that "the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual's past, present, or future health, health care, or payment for health care."
• The guidance now provides a few examples of when visits to a regulated entity's unauthenticated webpage (i.e., webpages that do not require user log-in before users access the webpage) may or may not involve the disclosure of PHI. Broadly, the updates state there is no disclosure of PHI if the online tracking technologies on the website do not have access to an individual's health information or if the visit itself is not related to an individual's health, while tracking technologies on an unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool may have access to PHI in certain circumstances. Although the guidance provides two new examples to illustrate how one website visit (e.g., a student writing a paper on COVID-19) would not constitute a disclosure of PHI, while another website visit (e.g., individual viewing an oncology services listing to seek a second opinion on treatment options) would be a disclosure of PHI, the guidance does not provide any clarity on how a regulated entity would be able to differentiate between the different visit purposes.
• In the event that a tracking technology vendor is unwilling to enter into a BAA with a regulated entity, the guidance now offers one solution — that the regulated entity may establish a BAA with another vendor (e.g., a "Customer Data Platform" vendor) who will de-identify online tracking information containing PHI, and then only de-identified information is disclosed to the tracking technology vendor. Otherwise, per OCR's 2022 guidance, a regulated entity without a BAA with the tracking technology vendor must obtain individuals' authorizations prior to disclosing any PHI to the tracking technology vendor.
• OCR elaborates on enforcement priorities in a new paragraph describing its focus on compliance with the HIPAA Security Rule via investigations into the use of online tracking technologies, and that "OCR's principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the [HIPAA] Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI."

OCR's updated guidance maintains a broad view of what constitutes PHI. As such, we urge health care providers and other HIPAA-regulated entities to continue to evaluate their use of tracking technologies (on webpages and mobile apps) and take appropriate steps to ensure compliance with the HIPAA Rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.