On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technology by covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates (together, "regulated entities"). While the updated guidance from OCR seems intended to clarify, and even narrow, the circumstances under which regulated entities’ use of websites and mobile app tracking technologies constitutes a disclosure of Protected Health Information (PHI), it fails to provide clarity on the exact scope, rendering compliance challenging. We summarize the updates to the guidance below and analyze briefly how these updates may impact the use of tracking technologies on unauthenticated and authenticated webpages, and what companies may explore in terms of compliance.
HIPAA Rule Application to Regulated Entities’ Use of Tracking Technologies
In its original guidance, OCR took the position that a regulated entity discloses Individually Identifiable Health Information (IIHI), which is a necessary pre-condition for information to meet the definition of protected health information (PHI), through third-party tracking technologies placed on a regulated entity’s website or mobile app. OCR takes the position that IIHI collected on a regulated entity’s website or mobile application "generally is PHI" even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of healthcare services. However, the recent update narrows the definition of IIHI in the context of disclosures via tracking technologies: OCR now states that sharing the mere fact that a consumer visited a regulated entity’s website (e.g., connecting IP address with a visit to a webpage addressing specific health conditions) does not constitute an IIHI, if the visit is not related to the individual’s past, present, or future health, healthcare, or payment for healthcare.
Tracking on Unauthenticated Webpages
However, OCR’s updated guidance fails to explicitly clarify how regulated entities may determine the intent behind an individual’s webpage visit. Overall, the new examples suggest that access to PHI, for health-related webpages, does not solely rely on the nature of the unauthenticated webpage but rather hinges on the visitor's activities on the page, i.e., activities on the webpage indicating the visit relates to the individual's health, healthcare, or payment for healthcare. The new OCR guidance elaborates on three webpage types:
Despite the ambiguity in how a regulated entity might identify a visitor's intention, the phrase "to the extent that information is...related to the individual's health or future health care" seems to indicate that the visit's connection to healthcare turns on whether the individual performed certain activities (e.g., clicking the contact us form on the webpage), especially when read together with OCR’s guidance on webpages for scheduling appointments or symptom-checker tools. However, OCR does not clarify whether, in the absence of additional forms or interactive elements on a webpage that would allow the regulated entity to identify a visitor's intent, the sharing of a visitor's information through tracking technology would be considered a disclosure of PHI.
Tracking on Authenticated Webpages
The scope of PHI on authenticated webpages (i.e., pages requiring user log in to access) remains the same: tracking technologies on user-authenticated webpages generally constitute access to PHI, and that regulated entities must ensure that such disclosures are permitted under HIPAA's Privacy Rule and enter into business associate agreements (BAA) with tracking technology vendors if they create, receive, maintain, or transmit PHI on behalf of the regulated entity for a covered function or provide certain services to or for a covered entity that involve the disclosure of PHI (e.g., individual making an appointment through a regulated entity and the website transmitting that information and the IP address to a tracking technology vendor).
What Do the Updates Mean for Compliance?
Regulated entities that use tracking technologies may also consider assessing their compliance with the Security Rule, as OCR in the updated guidance signaled that compliance with the Security Rule may be a mitigating factor in investigations into the use of online tracking technologies.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning privacy compliance, please contact Haley Bavasi, Tracy Shapiro, Yeji Kim, or any member of the firm's privacy and cybersecurity practice.