On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its December 2022 guidance for HIPAA-regulated entities regarding the use of online tracking technologies on websites and apps. This updated guidance arrives amid an ongoing trend of litigation over the use of online tracking technologies, widespread calls from the health care industry for further clarity on OCR’s interpretation of HIPAA as it relates to these technologies, and a lawsuit challenging OCR’s enforcement of the December 2022 rule in litigation.

While the latest update appears intended to address confusion created by the initial December 2022 bulletin, many open questions remain. We have compared the new guidance to OCR’s December 2022 guidance and highlight the key takeaways below. 

What’s New?

Focus on the nature of the visit to a webpage

When tracking technologies–a term broadly including cookies, web beacons, pixels and other methods of automatically tracking online activity–are deployed on a website or app, they collect information on user interactions with those websites or apps, as well as the device, operating system, and browser used to access the websites or apps. OCR has previously advised that HIPAA’s Privacy and Security Rules may be implicated when such collection is outsourced by HIPPA-regulated entities to third-party companies and that information includes protected health information (PHI). 

The updated guidance reiterates that information collected on a regulated entity’s website may constitute individually identifiable health information (IIHI)–and by extension PHI–even if the individual had no prior relationship with the regulated entity and even if the information does not include specific treatment or billing information. However, OCR has now added a caveat, stating that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.” 

Put another away, if the visit to the webpage is related to an individual’s health, health care or payment for health care, then the information would be IIHI (and by extension, PHI). This emphasis on the nature of the user’s visit to the webpage in determining whether or not the information collected about that user is PHI is echoed throughout the OCR’s updated guidance with respect to unauthenticated webpages and apps, discussed in more detail below.  

(Some) clarification about tracking on unauthenticated pages

A central question has been whether and in what circumstances tracking data can be considered PHI when collected on webpages where visitors are not required to login–commonly referred to as “unauthenticated” webpages. This question is the primary subject of the OCR’s updated guidance, as its guidance on a regulated entity’s use of tracking technologies on authenticated pages is unchanged (i.e., where a user is required to login to access the content of the webpage) is unchanged.

OCR confirms its previous guidance regarding unauthenticated webpages that provide general information about a regulated entity, such as the entity’s location, visiting hours or employment opportunities: Tracking technologies on these pages often collect information (such as a user’s IP address, device type or pages a user visited) that is not PHI because it is not related to the individual’s past, present or future health, health care or payment for health care.

However, OCR also states that certain interactions on unauthenticated webpages may result in the collection of PHI. The guidance offers two examples to attempt to illustrate this question:

• In the first example, a user visits a hospital’s unauthenticated webpage to view the hospital’s available oncology services. The user does so as a student researching the changes in the availability of certain medical services. The OCR states that in this circumstance, the data collected about the student’s interaction with the webpage is notPHI because it does not relate to the student’s health, health care or payment for health care.
• The second example appears to involve the same hospital webpage about available oncology services. In this example, however, a user is visiting the page to seek a second opinion on treatment options for the user’s brain tumor. Here, OCR states that the user’s visit is related to the user’s past, present, or future health or health care, and thus the information collected about that individual’s visit to the webpage constitutes PHI.  

What can we take away from these examples? It appears that whether or not information collected on unauthenticated webpages is PHI can hinge solely on the user’s intent. While other factors such as webpage content and authentication may be easier to identify and control, informational webpages such as those described in OCR’s two examples pose an immediate challenge because HIPAA compliance would seem to depend on the website owner’s difficult task of verifying the intent of anonymous visitors.  

Reminder that apps developed by or for regulated entities probably transmit PHI

The updated guidance states that information collected by a regulated entity’s app, including information uploaded into the app and collected automatically from an app user’s device (such as an IP address or device ID) is “generally” PHI. OCR offers the example of a patient using a health clinic diabetes management app to track glucose levels and insulin doses. Here, OCR states that tracking technologies deployed on such an app would collect PHI, because the individual’s use of the app is related to the individual’s health condition (here, diabetes), and when combined with individually identifying information such as an IP address or device ID captured by tracking technologies, it would constitute IHII, and by extension, PHI. As with much of the new content in the updated guidance, the OCR seems to underscore the importance of the individual’s intended purpose in accessing a regulated entity’s online content.

As a reminder, information that users voluntary download or enter into apps that are notdeveloped or offered on behalf of regulated entities is not PHI. Nevertheless, such information could be considered consumer health data, which has been an ongoing focus of the Federal Trade Commission and lawmakers in Washington state, Connecticut, Nevada and elsewhere.

Emphasis that a BAA or express individual authorization is a must

Any disclosure of PHI to a tracking technology vendor requires the regulated entity to either execute a Business Associate Agreement (BAA) or obtain individual HIPAA authorization to make the disclosure. OCR has noted that it is insufficient to have a tracking technology vendor simply agree to remove PHI from the information it receives, or de-identify the PHI before the vendor saves or stores the information, without also executing a BAA. OCR guidance also continues to state that cookie banner preferences do not constitute valid HIPAA authorization.

The additional guidance proposes one solution in the event that a tracking technology vendor will not provide written assurances to adequately safeguard PHI through a BAA. In such instances, the guidance suggests, the regulated entity could enter into a BAA with another vendor (e.g., a “Customer Data Platform”) to deidentify the tracking information, and that vendor could then in turn provide the de-identified information to the tracking technology vendor.

What’s Next?

Regulated entities should continue to address website tracking as an enforcement risk. In a new section titled “Enforcement Priorities,” OCR underscores that it “is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.” This warning echoes the OCR and FTC’s joint letter sent in July 2023 to approximately 130 hospital systems and telehealth providers alerting them to the risk stemming from the deploying online tracking technologies on websites and apps. 

Entities across the health care industry should continue to assess their online presence, and in particular, audit their uses of third-party cookies, pixels and other tracking technologies. Because the new guidance underscores that HIPAA’s applicability to tracking data is highly contextual, regulated entities must carefully consider risk and available compliance options. Regulated entities must also ensure that privacy notices, terms of use and consent mechanisms are consistent with HIPAA’s Privacy and Security Rules. Finally, to the extent that data collected via tracking technologies may not be regulated by HIPAA, entities should also carefully evaluate potential obligations under the FTC’s consumer health data rules and recently effective consumer health privacy laws in Washington state, Connecticut, Nevada and elsewhere.