Health and Human Services (“HHS”) released updated guidance yesterday on the use of online tracking technologies (like cookies, pixels, software development kits (SDKs), etc.) by HIPAA Covered Entities (the “Updated Guidance”).

The Updated Guidance amends and supersedes HHS’s original guidance on the use of digital tracking technologies published on December 1, 2022 (the “Prior Guidance”).  The Prior Guidance sent shockwaves through the healthcare industry, since its implicit core message seemed to be that healthcare as an industry could no longer digitally engage with customers in the same manner as other U.S. market participants. The Prior Guidance led many leading players to reevaluate their use of online tracking technologies on their websites and mobile apps; however, many felt the Prior Guidance left several open questions.

Instead of making wholesale changes to the Prior Guidance, HHS uses the Updated Guidance to address three such open questions:

1. When is information collected by tracking technologies considered PHI?

HHS’s Answer – Information collected by tracking technologies is considered PHI when it is both individually identifiable health information, and collected for a purpose related to an individual’s past, present, or future health care.  This largely depends on the website or app user’s subjective purpose in using a Covered Entity’s website or app, which is difficult to assess.

2. What can a Covered Entity or Business Associate do if a third party tracking technology vendor (“Vendor”) refuses to sign a BAA?

 HHS’s Answer – Engage an intermediary subject to a BAA, like a “Customer Data Platform,” to capture PHI and deidentify it prior to sharing it with that Vendor.

3. Is OCR going to enforce this Updated Guidance?

HHS’s Answer – Yes, and OCR suggests it may treat sharing PHI via online trackers with Vendors as data breaches under the HIPAA Security Rule.

We provide more detail on these questions and HHS’s answers below.

1. When is information collected by tracking technologies considered PHI?

Generally speaking, PHI is any information that is both individually identifiable health information and collected for a health-related purpose.  HHS leans on the statutory definition to clarify when information collected by tracking technologies qualifies as PHI.  Two things must be true: (1) the information must be “individually identifiable health information” (“IIHI”), and (2) the interaction or visit to the website during which a tracker collects information must be “related to an individual’s past, present, or future health, health care, or payment for health care.”

Specifically, HHS provides, “[T]he mere fact that an online tracking technology connects the IP address of a user’s device … with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health or, health care, or payment for health care.”

• Under this clarification, user data collected from visits to unauthenticated pages that have nothing to do with treatment – e.g., pages related to hospital visiting hours or job postings – is not PHI.
• However, HHS continues to focus on the user’s subjective purpose for visiting a health system website to evaluate whether the data collected by tracking technology – including IP address – amounts to PHI.
• For example, “if a student were writing a term paper on the changes in the availability of oncology services,” letting pixels collect info from his visit to a healthcare website does not share PHI, “even if the information could be used to identify the student.”
• However, under similar facts, if “an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor,” then letting pixels collect that user’s “IP address, geographic location, or other identifying information” does result in a disclosure of PHI.

This clarification may be difficult for businesses to operationalize.  For unauthenticated webpages and mobile apps, companies typically have no way of knowing who a user is or why they are visiting specific web pages.  For example, like HHS indicates, a user who views a hospital’s pages on COVID treatment options may be a student researching a term paper.  Or, it could be a parent researching COVID symptoms on the family computer for her children. Or, it could be an actual patient.  In all these cases, the hospital’s website will see the exact same thing: a device at a specific IP address is asking to access a page containing COVID information.  But there will be no indication as to what a user’s actual subjective purpose is in accessing the COVID information.

It is unclear whether the Updated Guidance is attempting to move Covered Entities to a position where they simply assume every website visitor is a potential patient looking at the site for options on their own treatment or diagnosis.  But this may be its practical effect.

2. What can a Covered Entity or Business Associate do if a Vendor refuses to sign a BAA?

Many healthcare industry companies have now experienced that certain Vendors who provide online tracking technologies will not sign BAAs.  HHS seems to offer a solution it will recognize as HIPAA-compliant: (1) put a “Customer Data Platform”-style vendor in between the Covered Entity and the Vendor that won’t sign a BAA, (2) have the Customer Data Platform deidentify PHI, then (3) send only deidentified data to the Vendor.  In HHS’s words:

[T]he regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI, and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.

Unlike other parts of the Updated Guidance, this may give some comfort to those health care organizations who have already started down this path.  Note, however, that the “deidentification” required to make HHS’s intermediary solution work will retain the meaning it has under HIPAA.  This may potentially be a different deidentification standard than “hashing” or encryption techniques offered by companies that facilitate data-sharing for marketing or advertising. Companies should scrutinize the deidentification techniques offered by intermediaries to confirm they will meet HIPAA requirements.

3. Is OCR going to enforce this Updated Guidance?

According to the Updated Guidance – yes.  HHS added a section on its “enforcement priorities.”  It states, “OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.”

The Security Rule contains HIPAA’s breach-notification rules.  Thus, the Updated Guidance seems to suggest OCR may treat disclosures of PHI to tracking technologies that it views as violating the Updated Guidance as data breaches, and rely on its data-breach enforcement authority in such cases.

[View source.]