HHS Updates Guidance on Online Tracking Technologies: Controversy Continues | JD Supra

The US Department of Health and Human Services’ Office for Civil Rights (OCR) recently updated its controversial year-old guidance document on the use of online tracking technologies by health care providers and other HIPAA regulated entities. Our analysis of the original guidance document can be found here.

The updated guidance comes in the wake of a lawsuit filed by the American Hospital Association (AHA) against HHS-OCR challenging the agency’s position that the use of standard third-party web technologies that capture IP addresses on the web pages of healthcare organizations infringe. HIPAA. The AHA document described the original HHS-OCR rule on tracking technologies as “an overreach by the federal bureaucracy, imposed without any input from health care providers or the general public.”

HHS-OCR states that the purpose of the updated guidance is to “remind regulated entities and the public that the use of online tracking technologies is subject to the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (HIPAA Rules).” Despite industry demand and pushback, the substantive updates to the guidance document are relatively minor, and HHS-OCR continues to take a broad view of what constitutes protected health information (PHI) in the online setting.

What hasn’t changed

The core message of the HHS-OCR guidance remains the same:

Regulated entities may not use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology providers or any other violation of HIPAA rules.

Significantly, HHS-OCR has not changed its broad interpretation of what might constitute PHI when disclosed to a tracking technology provider. HHS-OCR identifies the following types of information as examples of PHI that could be collected through tracking technologies: medical record number, home or email address, dates of appointments, IP address, geographic location, or identifier of the device.

HHS-OCR continues to take the position that HIPAA can be triggered if a health care provider collects an individual’s IP address (or other individually identifiable information) on its public website, even if the individual is not an existing patient of the health care provider. The updated guidance attempts to qualify this position by clarifying that “the mere fact that an online tracking technology connects the IP address of a user’s device … with a visit to a web page that addresses specific health conditions or lists health care providers” is not sufficient to constitute PHI “if the visit to the website is unrelated to an individual’s past, present or future health, health care, or payment for health care” .

From a practical standpoint, this places the burden on healthcare providers to determine a person’s reason for visiting their website and whether the visit is related to the provision of past, present or future healthcare. future, to read the mind of the person visiting the website. In many cases, this will be practically impossible.

New guidance on public websites

The updated guidance includes new examples of when visits to public (non-authenticated) websites that use tracking technologies result in the disclosure of PHI to a tracking technology provider:

• If an individual only visits a hospital website that includes job offers or visiting hours, the use of tracking technologies to collect and transmit the individual’s IP address (or other identifying information) it would not trigger HIPAA because this information is not related to the individual’s health, health care, or health care payment.
• A student is writing an article about the availability of oncology services before and after the public health emergency of COVID-19 and visits a hospital’s website that includes oncology services for research purposes. In this case, the use of tracking technologies to collect and transmit the student’s IP address (and other identifying information) it would not trigger HIPAA because the student’s visit to the website was not related to the student’s health, health care, or health care payment.
• If an individual visits a hospital’s website that includes its oncology services to seek a second opinion about treatment options for their brain tumor, the use of tracking technologies to collect and transmit the IP address of the person (or other identifying information) triggers HIPAA because this information relates to the person’s own health or future health care.

The challenge with these examples is that they require the health care provider to know a person’s reason for visiting a website. How is a healthcare provider supposed to know if someone visiting their oncology website is a student doing research or a potential patient looking for a new provider?

Imagine a pop-up that asks, “Is your visit to this website related to your past, present, or future health, health care, or payment for health care?” Is it safer to opt out of tracking technology entirely? Are there other viable solutions? The new guidance does little to address these questions.

New guidance on BAA requirements

If healthcare providers disclose PHI to tracking technology vendors, these vendors likely meet the definition of a “business associate” and therefore a Business Associate Agreement (BAA) is required. The new guidance provides a solution that could help healthcare providers if their tracking technology provider does not want to sign a BAA. Without the BAA, the healthcare provider cannot disclose PHI to the vendor. The healthcare provider could delete the PHI themselves, sending only non-PHI to the vendor, or they could hire another vendor to do the data deletion for them. In the latter case, a BAA with the data removal provider would be required. No BAA would be required with the seller only receiving PHI no.

Tips and takeaway food

The updated guidance document does not significantly change HHS-OCR’s previous position on tracking technologies. Here are some compliance tips for healthcare organizations in light of the current guidance:

1. Identify the web tracking technologies used across all of your organization’s websites and applications. This includes tracking technologies used directly by your organization or through a third party.
2. Ensure that the use of online tracking technologies is consistent with HIPAA, including tracking technologies used on public (unauthenticated) web pages.
3. Place BAA with follow-up providers as needed.
4. Review and analyze your organization’s use of tracking technologies as part of your routine security risk assessment and implement risk management measures as necessary to protect the privacy and security of transmitted EPHI through tracking technologies.
5. Stay tuned for updates on HHS-OCR guidance and legal developments in this area.