Healthcare Organizations Beware: Online Tracking Technologies Remain a Point of Emphasis
In a pivotal update to HIPAA regulations, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has issued revised guidance (“Revised Guidance”) concerning the use of online tracking technologies by covered entities and their business associates. This guidance is particularly relevant to entities that utilize tracking technologies, such as Google Analytics or Meta Pixel, to gather data on users interacting with their websites or mobile applications, a common practice among providers aiming to enhance care, patient experience, and website utility.
Background
OCR first issued guidance on tracking technologies in December of 2022 (“Original Guidance”), making a key distinction between webpages dealing with authenticated and unauthenticated users. “User authenticated webpages” were defined as “webpages that users can access only after they log-in to the webpage, such as by entering a unique user ID and password or other credentials.” “Unauthenticated webpages, on the other hand, refer to “webpages that are publicly accessible without first requiring a user to log in to such webpage.” The Original Guidance only identified two exceptions where information collected from unauthenticated webpages would constitute protected health information (PHI). The first being a log-in page on a covered entity’s patient portal or other user registration pages where users input their log-in credential, and the second exception being unauthenticated webpages that address specific health conditions or permit users to search for doctors and schedule appointments where tracking technologies collect the IP address or email address of such users.
OCR’s Original Guidance prompted a swift response from regulators, healthcare providers and plaintiffs’ attorneys. In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools. A few months later, OCR and the FTC published these same letters, and in doing so publicly named the organizations involved, signaling how serious regulators really were in enforcing online tracking technologies guidance. In turn, the American Hospital Association (AHA), in tandem with other healthcare providers, filed a lawsuit challenging OCR’s authority to govern online tracking technologies.[3] Moreover, a number of lawsuits have been filed against healthcare providers and their use of online tracking tools and the impermissible disclosure of patient data to third parties. [4]
Key Points of the Updated HIPAA Guidance
Scope of HIPAA Rules: The guidance clarifies that HIPAA rules are applicable when online tracking technologies collect or disclose protected health information (“PHI”).
Prohibited Disclosures: Entities are prohibited from using tracking technologies in a manner that results in impermissible disclosures of PHI, including for marketing purposes without proper HIPAA-compliant authorizations.
Definition of PHI: The guidance elaborates on what constitutes PHI in the context of online tracking, particularly with respect to users of unauthenticated webpages. This includes data that might not traditionally be viewed as health information, such as IP addresses and device identifiers, when they can be linked to health care services.
Examples and Compliance: Offering specific examples, the revised guidance illustrates scenarios where the collection of information might or might not be considered a disclosure of PHI. This aims to help entities navigate the complex landscape of online interactions and ensure compliance.
Implications for Compliance and Enforcement: Regardless of the aforementioned legal challenges to the OCR’s authority, the Revised Guidance serves both as a warning and a call to action for entities to carefully review and, if necessary, adjust their practices to avoid impermissible disclosures of PHI.
Actionable Information for Regulated Organizations
Review Online Tracking Practices: Organizations should closely examine their use of online tracking technologies, including third-party services, to ensure that any collection, use, or disclosure of PHI complies with HIPAA rules. Many providers or business associates may be unaware of their use of online tracking technologies to begin with, making the exercise of identifying and evaluating the need for such technologies mission critical.
Assess Authorization Processes: Ensure that any marketing activities involving PHI have the appropriate HIPAA-compliant authorizations in place, paying close attention to the nuances of what information is being collected and shared. For example, organizations who disclose PHI through tracking technologies to third parties should ensure a Business Associate Agreement exists between the parties. If a BAA remains impractical, the organization must obtain direct authorization from an individual prior to disclosure.
Enhance Privacy Protections: Strengthen privacy measures around websites and mobile applications, particularly those that could inadvertently collect PHI.
Consider user consent mechanisms and transparent privacy policies as part of these protections.
Educate Staff and Vendors: Provide training and resources to staff and third-party vendors about the importance of HIPAA compliance in the use of online tracking technologies and the specific requirements outlined in the updated guidance.
Monitor Regulatory Developments: Stay informed about further updates or interpretations of HIPAA rules related to online tracking and digital technologies, as the regulatory landscape is rapidly evolving.
Conclusion
The OCR's Revised Guidance on the use of online tracking technologies under HIPAA marks a critical step in addressing the privacy concerns that accompany the digital age. Covered entities and business associates must now navigate these guidelines carefully, balancing the benefits of technology with the protection of patient privacy. By adhering to these principles and taking proactive steps to ensure compliance, healthcare providers and their partners can leverage online tools effectively while upholding their commitments to patient privacy and data protection.
To learn more about how the use of online tracking technologies may affect your organization, please reach out to a Ritter Gallagher attorney at contact@rittergallagher.com.
————————————————————-
1) U.S. Department of Health and Human Services, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” Fn 11. (Dec. 1, 2022) (“Original Guidance”).
2) Id. at Fn 12.
3) American Hospital Association, “AHA files brief in its challenge to HHS online tracking rule,” (Jan. 5, 2024).
4) See In re: Advocate Aurora Health Pixel Litigation, Case No. 2:22-cv-1253 (E.D. Wash.) (Feb. 24, 2023).