OCR updates guidance on online tracking for HIPAA entities

The Office for Civil Rights updated guidance on the use of online tracking technologies by HIPAA-covered entities, emphasizing compliance with privacy rules.

What happened

On March 18, 2024, the Department of Health and Human Services' Office for Civil Rights (OCR) updated its guidance for entities covered by HIPAA regarding online tracking technologies. This update came in response to criticism and legal challenges, including a lawsuit filed by the American Hospital Association (AHA) and other healthcare organizations in November of the previous year. 

The AHA, expressing dissatisfaction with the updates, argued that the modifications to the OCR's Bulletin still contained the same legal and policy flaws as the original guidance. According to Chad Golder, AHA general counsel and secretary, these flaws unjustly limit hospitals' use of necessary online technologies needed to effectively communicate with patients. 

See also: Is online tracking HIPAA compliant?

Going deeper

1. HIPAA-covered entities and their business associates must comply with HIPAA Rules when using online tracking technologies on websites or mobile apps.
2. The guidance clarifies that tracking technologies, including cookies and mobile app trackers, can collect protected health information (PHI) that is regulated under HIPAA when used on regulated entities' digital platforms.
3. It is not permissible for covered entities to disclose PHI to tracking technology vendors for marketing purposes without obtaining HIPAA-compliant authorization from individuals.
4. The guidance provides specific scenarios under which the use of tracking technologies could result in unauthorized disclosures of PHI, such as tracking on user-authenticated webpages, unauthenticated webpages, and within mobile apps.
5. Covered entities are reminded to ensure that any PHI disclosed through tracking technologies is done in a manner that is expressly permitted or required by the HIPAA Privacy Rule.
6. Tracking technology vendors may qualify as business associates if they handle PHI on behalf of a covered entity, requiring a business associate agreement (BAA) to ensure compliance with HIPAA.
7. The guidance stresses the need for safeguarding electronic PHI (ePHI) collected through tracking technologies, in compliance with the HIPAA Security Rule.
8. Regulated entities are encouraged to conduct risk analyses and implement risk management processes to address potential security and privacy risks associated with the use of online tracking technologies.

What was said 

AHA general counsel and secretary, Chad Golder stated: “The fact that the HHS Office for Civil Rights has modified its Bulletin in response to our lawsuit concedes that the original Bulletin was flawed as a matter of law and policy. Unfortunately, the modified Bulletin suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review. The modified rule will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need. As the AHA has previously noted, these technologies are so essential that federal agencies themselves still use them on their own webpages, including HHS’s own Medicare.gov, as well as Health.mil, and various Veterans Health Administration sites. We look forward to resolving this issue once and for all in court, so that the federal government can no longer tie hospitals’ hands as trusted messengers of reliable health care information.”

See also: AHA files lawsuit against HHS over online tracking guidance

Why it matters 

The release of the OCR guidance on the use of online tracking technologies matters because it directly impacts how HIPAA-covered entities, including hospitals and health systems, manage and protect patient information in the digital age. The guidance aims to ensure that tracking technologies, such as cookies, pixels, and mobile app trackers, do not lead to unauthorized disclosures of PHI, which could harm patient privacy and confidentiality. 

The AHA's perspective on this issue has been consistently critical of the OCR's guidance. The AHA views the guidance as overly restrictive and potentially harmful to the ability of hospitals and health systems to communicate effectively with patients and the public. According to the AHA, the guidance could limit hospitals' use of common online tools and technologies that facilitate patient engagement, outreach, and education. These tools include analytics software, video technologies, and digital maps, which, according to the AHA, play a role in improving patient well-being and ensuring the accessibility of health information.

The AHA's stance further intensified following the OCR's updated guidance issued on March 18, 2024. In response to the updated guidance, the AHA, along with other organizations, filed a lawsuit against HHS, arguing that the guidance on online tracking technologies is "unlawful, harmful, and counterproductive." The lawsuit emphasizes that the guidance impedes hospitals from using commonplace technologies necessary for reaching patients and contradicts the practices of federal health agencies, which continue to use third-party tracking technologies on their websites.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Who is affected by this updated guidance?

The guidance affects HIPAA-covered entities, such as healthcare providers, health plans, healthcare clearinghouses, and business associates that provide certain services involving the use and disclosure of PHI.

What are online tracking technologies?

Online tracking technologies include cookies, web beacons, tracking pixels, and mobile app trackers used to collect and analyze how users interact with websites and applications, potentially including the collection of PHI.

Can PHI be shared with tracking technology vendors?

PHI can only be shared with tracking technology vendors under circumstances that are expressly permitted or required by the HIPAA Privacy Rule, and such vendors may qualify as business associates requiring a BAA.