This alert updates the alert we issued on January 31, 2023.
On March 18, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an updated bulletin to provide guidance on the use of online tracking technologies under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which apply to regulated entities—covered entities and their business associates. Intended to provide clarity, the updated bulletin replaces OCR’s original bulletin in the wake of a January 5, 2024, lawsuit filed against the secretary of HHS by the American Hospital Association, which aims to bar HHS from enforcing the rules described in the original bulletin.
Focused on unauthenticated webpages—webpages that are accessible to the public without the requirement to login or input credentials—the updated bulletin explains that the following condition avoids the disclosure of protected health information (PHI): “Visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor[s] if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.”
According to OCR’s new examples, collecting identifying information (e.g., an IP address) from a user would not involve a disclosure of the individual’s PHI to a tracking technology vendor if the user merely visits a hospital’s unauthenticated webpage to:
- Receive information about the hospital’s job postings or visiting hours, or
- Review the hospital’s oncology service listing for purposes of writing an academic paper about the availability of oncology services before and after the COVID-19 public health emergency
The reason for this outcome, explained by OCR, is that the tracking technologies would not have access to information about the individual’s past, present, or future health, health care, or payment for health care.
In another example provided by OCR, collecting identifying information (e.g., an IP address) from an individual would involve a disclosure of the individual’s PHI to the tracking technology vendor if an individual visits a hospital’s unauthenticated webpage that lists the oncology services provided by the hospital in the event that:
- The individual visited the webpage to seek a second opinion on treatment options for the individual’s brain tumor, and
- The identifying information showing the individual’s visit to the webpage was identifiable and related to the individual’s health or future health care
The changes provided by the updated bulletin set forth a general condition and several specific examples. Nonetheless, regulated entities may continue to grapple with how to interpret and apply the OCR’s condition. Though not entirely clear, the examples seem to indicate OCR’s position is that the purpose of a user’s visit to a website (i.e., whether the purpose relates to the individual’s health or future health care) governs the determination of PHI disclosure. It remains unclear whether a user must interact with the unauthenticated webpage in some fashion to signal the purpose, such as by entering contact information to set up an appointment.
In addition to these updated examples, OCR also indicated its enforcement priority will be compliance with the HIPAA Security Rule in any investigations into the use of online tracking technologies. Therefore, regulated entities are encouraged to conduct a risk assessment of their technology stack and ensure they have business associate agreements (BAAs) in place, where appropriate. OCR’s guidance states that if “chosen tracking technology vendor[s] will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example a customer data platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.”
Regulated entities should consult with legal counsel for guidance regarding the shifting landscape of technology regulation in the health care industry, including how to interpret OCR’s updated bulletin and whether BAAs are appropriate for use with certain technology vendors.
Barclay Damon provides counseling, contract drafting, and negotiation for matters at the intersection of health care law and information technology. The information provided in OCR’s updated bulletin is noteworthy for the health care industry and should be considered in the context of the particular circumstances of a health care provider or other regulated entity.
If you have any questions regarding the content of this alert, please contact Bridget Steele, counsel, at bsteele@barclaydamon.com; Renato Smith, Data Security & Technology Practice Area co-chair, at rsmith@barclaydamon.com; or another member of the firm’s Health & Human Services Providers Team or Data Security & Technology Practice Area.