On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA. We discussed the original guidance in our previous post on this issue. The original guidance is no longer available on the HHS website. Nor does OCR highlight the deletions and other changes from the original version, or the reasons for its revisions.

In its updated guidance, OCR appears to have retreated, in some respects, from its original guidance including by recognizing that there are instances where the “mere fact” that certain electronic information (such as IP address) is collected coupled with a visit to a webpage listing specific health conditions or health providers are an insufficient combination of electronic information to identify the individual and the individual’s health condition or care required to fall within the definition of PHI. OCR has now also opined that the information collected may not be PHI depending on the individual user’s reason for visiting a Regulated Entity’s unauthenticated pages on a website or mobile app. The updated guidance, however, continues to adhere to certain principles set forth in the previous version, but with the added assumption that Regulated Entities’ may permissibly collect and disclose electronic information depending on each individual’s reason for visiting unauthenticated sections of particular websites or mobile apps.

The updated guidance does not address how an individual’s reason for visiting its website (in order for the Regulated Entity to determine whether information collected in the use of online tracking technologies constitutes PHI or not) can be discerned at the point of collection through these automated electronic processes. Nor does the guidance expressly state that consideration of the reason for the individual’s visit may be considered by OCR in its enforcement efforts.   

Overview of the Revised OCR Changes

Tracking Technologies on Unauthenticated Webpages

In the updated guidance, OCR offers a clarifying statement with respect to IP addresses, noting that, “the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a website addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual's past, present, or future health, health care, or payment for health care.” (emphasis added).

The updated guidance generally focuses on the use of online tracking technologies on unauthenticated webpages (i.e., portions of websites which do not require users to log in before they are able to access the webpage). The guidance includes examples to illustrate when certain visits to an unauthenticated webpage may or may not involve the disclosure of PHI:

  • In the first instance, OCR explains that if the online third-party tracking technologies on the unauthenticated webpages do not have access to information relating to an individual’s past, present, or future health, health care, or payment for health care, then a user’s visit to the webpage does not result in a disclosure of PHI to a third-party tracking technology vendor. For example, OCR purports that if a user “merely” visits a hospital’s webpage to access the hospital’s job postings or visiting hours, the collection and transmission of information reflecting the user’s visit to the webpage – including the user’s IP address, geographic location, or other identifying information – would not involve an impermissible disclosure of an individual’s PHI to the online tracking technology vendor. HIPAA Rules would therefore not apply because the online tracking technologies lacked access to the individual’s past, present, or future health, health care, or payment for health care.
  • Similarly, OCR posits that if a user’s visit to an unauthenticated webpage is “not related to” the individual’s past, present, or future health, health care, or payment for health care, then that user’s visit to the unauthenticated webpage does not result in a disclosure of PHI to an online tracking technology vendor. In particular, the updated guidance raises a scenario where the collection and transmission of information relates to a student writing an oncology term paper who visits a hospital’s oncology services listing webpage.  OCR opined that under such a scenario, the information collected and disclosed would not constitute PHI, even if the information could identify the student.
  • By contrast, OCR presents another scenario where an individual looks at the same hospital oncology webpage for a services listing for the purpose of seeking personal treatment options. In that scenario, OCR opines that the individual’s identifying information showing the visit to that webpage would be considered PHI “if the information is both identifiable and related to the individual’s health or future health care.”
  • Furthermore, OCR clarifies that if an individual visits a Regulated Entity’s webpage and makes an appointment with a health care provider then third-party online tracking technologies that collect the “individual’s email address” and “reason for seeking health care typed or selected” would constitute a disclosure of PHI. Similarly, OCR posits that if an individual enters symptoms in an online tool to obtain a health analysis related to their own treatment, the collection of such information by a third-party online tracking technology would constitute a disclosure of PHI.  However, it is possible that use of an online tool by an individual for health analysis unrelated to such individual’s personal treatment (e.g., if a student conducts research for a term paper) would not constitute a disclosure of PHI.

OCR Enforcement Priorities

Lastly, OCR’s updated guidance highlights the agency’s priorities to investigate Regulated Entities’ use of online tracking technologies to prevent unauthorized access that could “lead to harm to individuals.” OCR explains that it is prioritizing compliance with the HIPAA Security Rule in its investigations. The agency is principally interested in “ensuring that Regulated Entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI.”

Considerations for Regulated Entities

OCR’s updated guidance regarding Regulated Entities’ use of online tracking technologies on webpages and mobile apps potentially introduces a new variable for Regulated Entities to consider in their risk analysis when determining how to handle information that is collected and shared with third-party tracking technology vendors: i.e., the user’s intent for visiting the webpage or using the mobile app. OCR’s newest examples in the updated guidance appear to require Regulated Entities consider the risk related to the intent of individuals when they visit unauthenticated webpages or mobile apps.

However, the updated guidance is silent with respect to how a Regulated Entity could determine at or before the point of collection particular user intent. OCR appears to presume that intent may be discernible, in part, by a Regulated Entity based on the individual’s likely reason given the activity or functionality permitted on the webpage (e.g., it is likely that a user scheduling an appointment using the Regulated Entity’s webpage is for reasons related to the individual’s own healthcare). Yet in other instances, users’ visits to unauthenticated informational webpages may be impossible for the Regulated Entity to discern. Accordingly, absent any further guidance from OCR or enforcement activity focused on this point, Regulated Entities will likely have to wrestle with how to incorporate these new examples into their own risk-based practices to remain compliant with the now updated guidance.

Additionally, OCR’s new statement regarding its enforcement priorities offers Regulated Entities insight to inform compliance efforts. Specifically, Covered Entities and their Business Associates should consider immediately focusing their resources toward ensuring that use of their online tracking technologies on their webpages and mobile apps complies with the HIPAA Security Rule and the revised guidance.

For additional information about the issues discussed in this post, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.