OCR updates guidance on tracking technology: Key takeaways

On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued revised guidance (Revised Bulletin) on the use of online tracking technologies, such as pixels, cookies, and other trackers, by HIPAA-regulated entities. 

Styled as an effort "to increase clarity” concerning the online tracking technology policies that OCR released for the first time in its December 2022 bulletin, OCR’s Revised Bulletin introduced further uncertainty concerning guidance that is already the subject of controversy and litigation.  OCR’s revisions come in the wake of a legal challenge to the December 2022 bulletin filed in November 2023 by the American Hospital Association (AHA) and other plaintiffs,[1] as well as follows general stakeholder concerns regarding the scope of OCR’s policies on this issue. 

Background

The changes incorporated into the Revised Bulletin focus on the collection and disclosure of individually identifiable health information (IIHI) through a HIPAA-regulated entity’s unauthenticated, public-facing webpages.  OCR’s guidance regarding collection of IIHI through authenticated pages and on mobile applications remains largely unchanged.

In the December 2022 bulletin, OCR took the position that IIHI could be collected through unauthenticated webpages even if (1) the individual does not have an existing relationship with the regulated entity and (2) the information collected does not include specific treatment or billing information.  At that time, OCR's policy was that a regulated entity’s collection of an IP address or geographic location data alone, without any additional information, would be sufficient to qualify as IIHI.  OCR asserted that the mere connection of an individual to the regulated entity through public-facing webpages would be a sufficient indication that the individual has received or will receive health services or benefits from the regulated entity, and thus relates to the individual’s past, present, or future health, healthcare, or payment for healthcare (collectively, “health”).  

Under the Revised Bulletin, however, the mere connection of identifying information (eg, IP address or user device identifier) with an unauthenticated webpage visit will not be viewed as a sufficient combination to qualify the data as IIHI unless the individual’s visit to the webpage relates to the individual’s health.  Notably, OCR maintains that a regulated entity need not have an existing relationship with the website visitor and that none of the information collected needs to include specific treatment or billing information. 

To help stakeholders understand which webpage visits could result in the collection of IIHI and transmission of PHI to tracking technology vendors, OCR explains that each of the following interactions with a regulated entity’s website would relate to the individual user’s health:

• Reading a listing of oncology services to seek a second opinion or learn about treatment options for the individual’s brain tumor diagnosis

• Identifying or selecting the reasons for seeking healthcare
  
  
• Making an appointment with a healthcare provider
  
  
• Using online tools or symptom checkers to obtain a health analysis

In these examples, each person’s unique purpose for accessing a website provides the basis for determining whether the visit is related to the person’s health.  If such basis is indeed connected to a person’s health, then connecting that individual’s identifying information with the webpages visited or actions taken will be viewed as IIHI.  

In contrast, if the individual’s visit to the website does not connect to an individual’s health, then OCR will not view their identifying information as IIHI.  For instance, OCR stated that the following visits to a HIPAA-regulated entity’s unauthenticated webpages would not relate to an individual’s health: 

• Researching the availability of oncology services before and after COVID-19 by a student for purposes of writing a term paper
  
  
• Looking up visiting hours
  
  
• Visiting webpages with general information regarding the regulated entity’s locations
  
  
• Searching for job postings with the regulated entity

On the basis of these examples, OCR revised its prior guidance to indicate that tracking technologies on “many” unauthenticated webpages would not have access to PHI.  When data is not IIHI, then neither the collection of the data by the regulated entity, nor the sharing of the data with an online tracking technology vendor, is PHI subject to HIPAA, even if the data could be used to identify the individual. 

Takeaways

Although the Revised Bulletin indicates that data collected from interactions with unauthenticated webpages will qualify as IIHI if the visit to those pages relates to the individual’s health, OCR did not provide any framework for how regulated entities, as well as OCR, would be able to identify that relationship.  

The examples OCR provided suggest that the determination may depend on whether the regulated entity knows or could discern the individual’s reason for visiting the site. However, this raises numerous questions.  For instance, will OCR expect actual knowledge of a website visitor’s intent?  Will it apply some lesser standard of knowledge?  Or, more realistically, will the mere connection of identifying information with certain webpages or features will be sufficient indicia of relatedness to the visitor’s health to qualify as IIHI? 

Notwithstanding the lack of clarity or practical application of its policies in this regard, OCR is prioritizing HIPAA Security Rule compliance in investigations into the use of online tracking technologies.  From an investigatory standpoint, OCR will largely focus on whether regulated entities have included the use of online tracking technologies in their identification, assessment, and mitigation of risks to ePHI (eg, in security risk analyses, in risk management plans, in evaluations, and by entering into appropriate business associate agreements).

OCR further instructed in the Revised Bulletin that its investigations are “fact specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies.”  This indicates that OCR may be looking for information from forensic analyses of configurations and deployment of tracking technologies and evidence of the “what, when, where, why, and how” of data collection and transmission through the use of such technologies. 

Accordingly, the distinctions OCR has drawn in its Revised Bulletin may be difficult to parse.  While regulated entities could attempt to make good-faith assessments regarding the collection of IIHI on their websites, OCR’s policies on this general topic, and the inclusion of unauthenticated webpages in particular, represents an enforcement focus in a new substantive area for OCR.  Given the lack of clarity and subjective nature of OCR’s guidance, regulated entities may feel as though they are left with a binary choice: use tracking technologies and treat the entirety of the website as subject to HIPAA or do not use tracking technologies at all.  

Should regulated entities choose the first approach, OCR’s policy indicates that the tracking technology vendor must sign a business associate agreement if IIHI will (or may) be collected.  If an online tracking technology vendor does not sign business associate agreements, OCR suggests that HIPAA-regulated entities sign a business associate agreement with a “Customer Data Platform,” which would de-identify the online tracking information and disclose only de-identified information to the tracking technology vendor. OCR states, in part, that a Customer Data Platform is software that can combine data from multiple sources regarding customer interactions with a company’s online presence to support a company’s analytic and customer experience analysis. Essentially, the Customer Data Platform acts as an intermediary vendor to de-identify PHI in accordance with HIPAA before sending the resulting de-identified data to the online tracking technology vendor.  However, regulated entities should consider evaluating the compatibility of any Customer Data Platform software with any third-party online tracking technologies that may be used and the business impacts to such use cases. 

Outstanding questions

There remain important questions regarding whether the online tracking technology policies OCR has articulated in its guidance will withstand the legal challenge brought by the AHA and other plaintiffs.  OCR’s extension of HIPAA protections to information collected from individuals visiting unauthenticated, public-facing webpages is novel, and, given the myriad of reasons individuals visit informational pages on regulated entities’ websites, the application of HIPAA in this regard may remain unclear.  Following the release of the Revised Bulletin, the AHA issued a statement indicating that the changes reflected in the Revised Bulletin are tantamount to OCR “conced[ing] that the original Bulletin was flawed as a matter of law and policy” and further that OCR’s revisions are “cosmetic changes to evade judicial review.”

Next steps for regulated entities

Regulated entities should consider assessing their obligations under HIPAA and the Revised Bulletin. In particular, regulated entities may consider ensuring that website operations are included as potential ePHI environments with respect to Security Rule compliance, evaluating the use of any online technologies deployed across all areas of their websites and any mobile applications, and determining whether business associate arrangements are in place or may be required for existing or future use of such technologies. These actions may, at a minimum, require coordination between leadership and workforce responsible for information security, privacy, marketing, compliance, and legal.

We recommend that regulated entities also consider updating their HIPAA Privacy and Security policies and procedures, as necessary, to address the use of third-party online technologies deployed on websites and mobile applications, and ensure that they conduct a technical evaluation concerning any implementation or reconfiguration of online tracking technologies in accordance with 45 CFR § 164.308(a)(8). 

DLA Piper continues to monitor developments surrounding the use of online tracking technologies, regulator enforcement in the space, and AHA’s lawsuit against OCR.  Please contact the authors for more information.

[1] AHA is joined by Texas Hospital Association, Texas Health Resources, and United Regional Health Care System.  Also, seventeen state hospital associations and 30 hospitals and health systems filed amicus briefs supporting AHA in the lawsuit.