An IP (internet protocol) address is a unique numerical label assigned to each device participating in a computer network that uses the internet protocol for communication. It acts as an identifier that permits data to be sent between devices on a network.
Understanding IP addresses
An IP address is a series of numbers separated by periods, typically presented in a set of four — for instance, 192.158.1.38. Each number in the set can range from 0 to 255, making the full IP addressing spectrum span from 0.0.0.0 to 255.255.255.255.
IP addresses are not random. They are mathematically produced and allocated by the Internet Assigned Numbers Authority (IANA), a division of the Internet Corporation for Assigned Names and Numbers (ICANN).
How do IP addresses work?
Internet protocol works much like any other language, by communicating using set guidelines to pass information. This protocol allows all devices to find, send, and exchange information with other connected devices.
The process of IP address assignment and usage happens behind the scenes. Your device indirectly connects to the Internet by first connecting to a network connected to the Internet, which then grants your device access to the Internet. Your internet service provider (ISP) assigns your IP address to your device. Your internet activity goes through the ISP, and they route it back to you, using your IP address.
Read also: Understanding HIPAA classification of ISPs involving feedback loops
Types of IP addresses
There are two main categories of IP addresses: private and public, and within each category, different types.
Private IP addresses
Every device that connects to your internet network has a private IP address. This includes computers, smartphones, and tablets but also any bluetooth-enabled devices like speakers, printers, or smart TVs.
Public IP addresses
A public IP address is the main address associated with your entire network. Your public IP address is provided to your router by your ISP. Typically, ISPs have a large pool of IP addresses that they distribute to their customers.
Public IP addresses come in two forms – dynamic and static.
Dynamic IP addresses change automatically and regularly. ISPs buy a large pool of IP addresses and assign them automatically to their customers. In contrast to dynamic IP addresses, static addresses remain consistent. Once the network assigns an IP address, it remains the same.
Website IP addresses
There are two types of website IP addresses for website owners who don’t host their servers. Websites that rely on shared hosting plans from web hosting providers will typically be one of many websites hosted on the same server. Websites hosted in this way will have shared IP addresses. Some web hosting plans have the option to purchase a dedicated IP address.
Read also: Are IP addresses PHI?
How to look up IP addresses
The simplest way to check your router’s public IP address is to search “What is my IP address?” on Google. Google will show you the answer at the top of the page.
Other websites will show you the same information: they can see your public IP address because, by visiting the site, your router has made a request and therefore revealed the information.
Finding your private IP address varies by platform:
- In Windows: Use the command prompt. Search for “cmd” using Windows search. In the resulting pop-up box, type “ipconfig” to find the information.
- On a Mac: Go to System Preferences. Select network – and the information should be visible.
- On an iPhone: Go to Settings. Select Wi-Fi and click the “i" in a circle next to the network you are on – the IP address should be visible under the DHCP tab.
IP address security threats
Cybercriminals can use various techniques to obtain your IP address. Two of the most common are social engineering and online stalking.
Social engineering
Attackers can use social engineering to deceive you into revealing your IP address.
Online stalking
Criminals can track down your IP address by merely stalking your online activity. Once they have your IP address, attackers can go to an IP address tracking website and then get an idea of your location.
Other risks include:
- Downloading illegal content using your IP address
- Tracking down your location
- Directly attacking your network
- Hacking into your device
Read more: What is social engineering?
Are IP addresses PHI?
Collecting an IP address on a healthcare website makes the IP address protected health information (PHI). According to the guidance issued by the U.S. Department of Health and Human Services, all such IIHI collected on a regulated entity's website or mobile app is generally considered PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information.
Given the HHS guidance, healthcare organizations must be cautious in their use of tracking technologies on websites and mobile apps, as IP addresses and other IIHI collected through these platforms may be considered PHI.
In the news
The Biden administration's updated guidance on third-party web trackers has introduced exclusions for certain types of website visits from being classified as PHI disclosures. This change means that visits to unauthenticated webpages, where users do not log in, are not considered PHI disclosures if the trackers do not access information about an individual's health history or healthcare payments. For instance, simply viewing job postings or visiting hours on a hospital's website does not constitute a PHI disclosure according to the new guidance. However, the intent behind a visit, which can be challenging to determine based on an IP address and mouse click alone, remains a fundamental factor.
Legal experts argue that these updates offer limited practical relief for healthcare organizations, as determining the intent behind a website visit based solely on an IP address is nearly impossible. Despite this clarification, the policy remains stringent on preventing PHI disclosures via tracking technologies, maintaining the position that any use of these tools leading to PHI breaches violates HIPAA regulations. The healthcare industry continues to challenge this stance, with ongoing lawsuits and pushback from organizations like the American Hospital Association, indicating the difficulty in ascertaining user intent from IP address data.
FAQs
Does HIPAA apply to the collection and use of IP addresses on healthcare websites?
Yes, HIPAA applies to the collection and use of IP addresses on healthcare websites, especially when the information collected through tracking technologies includes PHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
Do I need consent to collect and track IP addresses for healthcare purposes on my website?
Yes, consent is mandatory for collecting and tracking IP addresses for healthcare purposes on websites. Regulated entities must ensure that the collection and transmission of IP addresses or geographic locations, when related to an individual's health or future health care, are done with the individual's HIPAA compliant authorizations to avoid impermissible disclosures of PHI.
What can I use to make my web trackers HIPAA-compliant when collecting IP addresses?
Regulated entities can use technology such as a Healthcare Privacy Platform or implement a Business Associate Agreement (BAA) with tracking tools to prevent impermissible disclosures of PHI to tracking technology vendors. It's necessary to work with vendors who understand the HIPAA guidance well and can execute a granular tracking strategy to ensure compliance.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
