The American Hospital Association urges Office for Civil Rights to amend online tracking guidance

The American Hospital Association (AHA) wrote a letter urging the Office for Civil Rights (OCR) to reconsider its guidance on website tracking amid an increase in lawsuits against hospitals. 

What happened

In recent months, lawsuits have been filed against hospitals or other medical organizations for their use of pixels.

These pixels, embedded into websites, can send data to Google and other third parties that typically use them for advertising purposes.

In 2022, the OCR released a guidance discussing the potential risks, fines, and penalties organizations using pixels may face. After the release, it was found that many hospitals and healthcare platforms were engaging in the use of pixels, either inadvertently or advertently, resulting in several lawsuits against various healthcare organizations.

Read more:

• 98.6% of hospitals use tracking that puts patient privacy at risk
• Report shows increasing ransomware and lawsuits for pixel use

The AHA has now written a letter urging the OCR to reconsider its tracking guidance. The letter argues that treating an IP address as protected health information will restrict public access to credible health information, harming both patients and hospitals. 

Why it matters

The letter highlights OCR’s continued need to evaluate HIPAA in relation to technological advances. The AHA argues that with increased privacy protections in the proposed Privacy Rule to Support Reproductive Health Care Privacy, regulations for pixels are unnecessary.

As it stands, the AHA argues that treating all IP information related to health as protected health information is too broad, making it difficult for healthcare platforms to share accurate information. The AHA further argues that healthcare platforms rely on third-party systems that use pixels, and getting rid of these systems would ultimately harm patients.

What was said

The AHA’s letter, signed by General Counsel and Secretary Melinda Reid Hatton, stated that the AHA has “serious concerns” about OCR’s policy and that “by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information.” 

The letter calls for the guidance to be “suspended or amended immediately.” The letter also stated the current guidance “puts hospitals and health systems at risk of serious consequences–including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals–for a problem that ultimately is not of their own making.”

Going deeper

The AHA is asking the OCR to take the following steps:

1. To reconsider if the Online Tracking Guidance is necessary, and if it isn’t, it should be suspended immediately. 
2. If the OCR decides the guidance is necessary, it should be amended to no longer include IP addresses, or only include IP addresses provided through nonpublic web pages (such as those that are password-protected). 
3. If the OCR does not want to amend its guidance, it should seek public comment.
4. The OCR should consider allowing the Federal Trade Commission to release guidance for third-party vendors, rather than placing the onus of its use on healthcare companies. 

The bottom line

Healthcare companies should be diligent in following the OCR’s guidance as closely as possible while remaining aware that the guidance could change if the OCR decides to implement AHA’s suggestions. 

Related: HIPAA Complaint Email: The Definitive Guide