On March 18, 2024, HHS’ Office of Civil Rights (OCR) issued an updated bulletin modifying its previous guidance issued in December of 2022 on the use of third-party online tracking technologies by HIPAA-regulated entities, which include covered entities (such as group health plans) and business associates.
OCR generally defines tracking technology as a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. After information is collected from websites or mobile apps, it is then analyzed by the website owners, mobile app owners, or third parties to gain insights about users’ online activities. While OCR has acknowledged through its guidance that such insights can be used in beneficial ways to help improve care or the patient experience, to improve the utility of webpages and apps, or to efficiently allocate resources, it has also expressed its concerns about the potential misuse of tracking data to promote misinformation, identity theft, stalking, and harassment.
OCR has expressed concern about covered entities and business associates relying on third-party tracking technologies rather than technologies developed internally. Therefore, the bulletin is primarily concerned with regulated entities’ obligations when using third-party tracking technologies that send information directly to those third parties that may continue to track users and gather information about them even after they navigate away from the original website to other websites.
The bulletin update clarifies that no PHI is accessed when the tracking technology connects the IP address of a user’s device with a visit to a webpage addressing specific health conditions, so long as the visit to the webpage is not related to an individual’s past, present, or future health, healthcare, or payment for healthcare. For instance, when a user visits a hospital’s website to find visiting hours, employment opportunities, or other such general information, no access to PHI occurs. Additionally, there is no access to PHI when an individual accesses a HIPAA-regulated entity’s landing page by mistake, nor is there access when a student is conducting academic research.
While OCR has not provided an official reason for this modification, it does come in the midst of an ongoing lawsuit brought by the American Hospital Association along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, alleging that OCR exceeded its statutory authority in the original guidance by interpreting the definition of individually identifiable health information too broadly when applied to individuals’ access to unauthenticated webpages.
Other than the change announced on March 18, 2024, the original guidance, through which OCR has determined that tracking technologies have access to PHI where they can access information regarding an individual who is seeking medical services (e.g., seeking treatment options for a health condition, scheduling an appointment, or using a symptom tracker tool), remains substantially the same, meaning that HIPAA-regulated entities still need to have a business associate agreement with any third-party technology vendor it uses or a HIPAA compliant authorization for the sharing of the information.
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up