Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

On March 18, the US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance regarding the use of online tracking technologies. The American Hospital Association and others filed a complaint against OCR, seeking a declaratory judgment that the OCR’s original guidance exceeded its authority. However, rather than resolving ambiguities, the updated guidance creates further uncertainty for HIPAA-covered entities and business associates that use online tracking technologies.

OCR has recognized that entities use tracking technologies to “collect and analyze information” about how people interact with their websites or mobile apps. Sometimes, however, those tracking technologies may, intentionally or not, capture protected health information (PHI), thus implicating the Health Insurance Portability and Accountability Act (HIPAA). Specifically, HIPAA-regulated entities “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI.”

Entities using tracking technologies, such as cookies, web beacons, tracking pixels, session replay scripts, or fingerprinting scripts, need to be mindful of whether those technologies capture unique identifiers of web visitors, including a device ID or an advertising ID. Individually identifiable health information (IIHI)—or a combination of identifiers—that enable the creation of individualized customer profiles could result in the unauthorized use or disclosure of PHI.

The updated guidance states “IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”

OCR’s guidance distinguishes between tracking technologies used on authenticated versus unauthenticated pages. A user-authenticated page is one that requires a user to log in before they can access the website. A prime example of this is a healthcare portal landing page. Given that user-authenticated pages of regulated entities frequently contain PHI, tracking technologies should be used with caution. This is to ensure PHI is not used or disclosed in contravention of the Privacy Rule.

In a significant expansion of the existing guidance, OCR explained that, while many unauthenticated pages do not have access to an individual’s PHI, in some cases, PHI is accessible through an unauthenticated page and the HIPAA rules will apply. OCR provided the following examples to illustrate whether an unauthenticated webpage could implicate a disclosure of PHI:

• Visiting a hospital webpage to see visiting hours, which is publicly available. Here, even when a tracking technology gathers the user’s IP address, geolocation, or other identifying information, this would not constitute an unauthorized disclosure of PHI. Health information, as defined by the HIPAA regulations, must relate to an individual’s past, present, or future health, health care, or payment for health care. In this example, the information collected does not reveal any of this information.
• A student writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency visits a hospital’s webpage listing the hospital’s oncology services. OCR states that tracking the student’s visit to the website would not constitute a disclosure of PHI, even if the information could be used to identify the student.
• Visiting a hospital webpage for publicly available information regarding oncology services offered to seek a second opinion on treatment options for a brain tumor. The visitor is looking for treatment services related to an existing health condition. OCR states that the collection of identifying information would constitute PHI to the extent the information is both identifiable and related to the individual’s health or future health care.

The latter two examples underscore a new compliance challenge for HIPAA-regulated entities posed by the updated guidance. How may a covered entity or business associate differentiate website visitors like the student writing a term paper from the patient seeking information for a second opinion? The distinction seems to be defined by the website visitor’s subjective intent, which is difficult, if not impossible, for a HIPAA-regulated entity to ascertain.

Where HIPAA does not apply, entities still need to be conscientious of other applicable federal and state laws. Washington’s new My Health My Data Act (MHMDA), for instance, exempts PHI subject to HIPAA. However, if HIPAA does not apply, then MHMDA may step in, depending on the industry and context. Health data collected by non-HIPAA regulated entities, including data collected pursuant to online tracking technologies, may be subject to MHMDA.

How We Can Help

Entities using tracking technologies that capture health data should consider carefully reviewing OCR’s updated guidance and, if any questions arise, Morgan Lewis’s healthcare and privacy professionals stand ready to assist you.