On March 18, 2024, the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services ("HHS") published updated guidance on the use of online tracking technologies by HIPAA covered entities and business associates (the "2024 Update"). The 2024 Update replaces the original guidance that OCR published on December 1, 2022 (the "2022 Guidance"). The 2024 Update attempts to clarify when information captured by tracking technologies constitutes individually identifiable health information ("IIHI") and provides guidance to covered entities and business associates on their obligations with respect to the use of online tracking technologies.
Background:
The OCR generally defines a tracking technology as "a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app." "Cookies" and "pixels" are common examples of tracking technologies. It's no secret that tracking technologies are ubiquitous on the internet, and anytime a person visits a website, there is a strong likelihood that information connected to that person is being collected by a tracking technology. However, when a person visits a website that belongs to a covered entity or a business associate and a tracking technology collects information while the person on the website (e.g., your IP Address), is that information subject to HIPAA?
This question received significant attention in the second half of 2022 following an article published in The Markup which claimed that websites for 33 of Newsweek's top 100 hospitals had a tracker, called the Meta Pixel, which sent sensitive data to Facebook whenever a visitor to the website clicked a button to schedule a doctor's appointment. Following the The Markup article, several class action lawsuits were filed against health care providers named in the article. However, given there is no private right of action under HIPAA, most of these lawsuits involved privacy tort claims or claims arising under state privacy or federal wiretap statutes. At the end of 2022, OCR published the 2022 Guidance to clarify the responsibilities of covered entities and business associates under HIPAA with respect to tracking technologies.
OCR stated in the 2022 Guidance that the disclosure of information to a tracking technology vendor by way of a tracking device is a disclosure for purposes of HIPAA. Therefore, if such disclosed information is PHI, an exception or authorization under HIPAA would be required. On the question of whether the disclosed information is PHI, OCR concluded in the 2022 Guidance that IHII "collected on a regulated entity's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity." Some providers challenged the 2022 Guidance as overreaching, particularly when applied to the collection of IP Addresses on unauthenticated webpages (i.e., public webpages that do not require login information or user authentication), as evidenced by the Complaint filed in 2023 against HHS by the American Hospital Association (the "AHA"), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in response to the 2022 Guidance (the "AHA Complaint").
How the Updated Guidance Differs from the 2022 Guidance:
With respect to tracking on user-authenticated webpages (i.e., pages that require a log in or authentication from the visitor), the OCR's position in the 2024 Update remains unchanged from the 2022 Guidance—tracking technologies on user-authenticated webpages generally have access to PHI and such webpages must be configured to allow tracking technologies to only use and disclose PHI in compliance with the Privacy Rule. However, with respect to unauthenticated webpages (perhaps in response to the challenges received from providers to the 2022 Guidance), the OCR added to the 2024 Update that "the mere fact that an online tracking technology connects the IP Address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care." Therefore, the 2024 Update suggests that so long as the website visitor's visit to an unauthenticated webpage is not related to the visitor's past, present or future health, health care or payment for health care, then the collection of the visitor's IP Address and disclosure of such information to a third-party vendor would not be subject to HIPAA.
HIPAA and its regulations have long deemed an individual's IP Address to be identifiable information, therefore this clarification from OCR is helpful to covered entities and business associates to the extent that it acknowledges that the collection of IP Addresses or other identifying information in connection with visits to unauthenticated webpages does not always result in PHI subject to the Privacy Rule and Security Rule. However, this new guidance also creates a potentially challenging standard for regulated entities to put into practice because regulated entities are put in the position of needing to infer each visitor's intent when visiting their website. The illustrations that the OCR provides in the 2024 Update to distinguish what is and what is not a disclosure of PHI to tracking technology vendors highlight this conundrum. For example, the OCR states that the collection and transmission of a student's visits to a hospital's webpage listing oncology services in connection with writing a term paper on the changes in the availability of such services before and after the COVID-19 public health emergency would not constitute a disclosure of PHI, while the collection and transmission of an individual's visits to such pages in connection with seeking a second opinion on treatment options would be a disclosure of PHI. From the perspective of the hospital, determining whether the individual visiting the oncology services webpage is a student doing research for a term paper or a prospective patient seeking a second opinion for treatment, may not be possible.
Operationalizing the 2024 Update
Because the 2024 Update was not developed through the process of notice and comment rulemaking, the 2024 Update is a sub-regulatory document that does not have the force and effect of law. However, the OCR is the primary agency that enforces HIPAA and the 2024 Update reflects OCR's views on the use of tracking technologies and their application to HIPAA. Therefore, covered entities and business associates should not ignore the 2024 Update, and to the extent possible, should attempt to comply with the guidance provided therein.
That said, conforming operations to comply with OCR's guidance regarding tracking devices on unauthenticated webpages may prove challenging for the reasons mentioned above. Consistent with the 2022 Guidance, the 2024 Update states that regulated entities must have a signed business associate agreement ("BAA") with a tracking technology vendor prior to disclosure of PHI. Otherwise, the regulated entity must receive a HIPAA-compliant authorization from each affected individual prior to disclosure of such individual's PHI. According to the 2024 Update (and the 2022 Guidance), banners that ask visitors to accept or reject a website's use of tracking technologies does not constitute a valid HIPAA authorization. OCR added in the 2024 Update that if a vendor refuses to execute a BAA, the regulated entity may execute a BAA with an intermediary that deidentifies the information in accordance with 42 C.F.R. § 164.514 prior to such information being disclosed to the refusing vendor. Therefore, to comply with OCR's most recent guidance, rather than try to infer what each visitor's intent is when visiting its webpages, regulated entities will need to audit their webpages to identify what tracking technologies are in use and what information is being collected. Unless a webpage is clearly not related to health, health care or payment for health care (e.g., a job postings page) and the information collected by the tracking technology on the webpage does not relate to health, health care or payment for health care (e.g., an IP Address), to the extent collected information is transmitted to a third party, the regulated entity will need to execute a HIPAA-compliant BAA either (a) directly with such third party or (b) with an intermediary that will de-identify the collected information before such information is disclosed to the third-party. However, the former may prove challenging because tracking technology vendors may be unwilling to execute BAAs, and the latter may limit the value of the tracking technology due to the data elements that would need to be removed to achieve de-identification under 42 C.F.R. § 164.514 (note that IP Addresses are one of the 18 identifiers that must be removed to achieve de-identification under 42 C.F.R. § 164.514(b)(2)[1]).
Importantly, the OCR maintains that it is prioritizing compliance with the HIPAA Security Rule in investigations involving the use of online tracking technologies. Therefore, covered entities and business associates should prioritize implementing appropriate administrative, physical and technical safeguards with respect to information collected by tracking devices on their webpages. This includes without limitation incorporating the use of tracking technologies in Risk Analysis and Risk Management processes in accordance with 42 C.F.R. § 164.308(a)(1)(ii)(A)-(B).
Lastly, it remains to be seen how the 2024 Update may be affected by pending litigation. The litigation arising from the AHA Complaint is ongoing, and the AHA Complaint requests the court to set aside OCR's guidance to the extent the guidance provides that tracking technology which connects an individual’s IP Address with a visit to an unauthenticated webpage that addresses specific health conditions or healthcare providers is IHII. At present, however, the 2024 Update remains unaffected, and covered entities and business associates should familiarize themselves with this guidance and incorporate it into their strategies for HIPAA compliance.
###
[1] Under 42 C.F.R. § 164.514(b)(1), de-identification may also be achieved if:
A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: (i) applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination.
