On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 2022 bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” to address some of the confusion stemming from the previous update. Although the update seems to refine the OCR’s definition of HIPAA-protected health information (PHI) regarding online tracking technologies, it primarily reaffirms the guidance issued in the 2022 bulletin. For HIPAA-covered entities and business associates who have already implemented the 2022 bulletin’s recommendations, there is little new implication with this most recent update. Some of the highlights include:
Authenticated Pages
Regulated entities that use tracking technologies on web pages requiring user authentication, such as patient portals or telehealth platforms, must ensure these technologies comply with HIPAA regulations. Since these pages can collect sensitive information including IP addresses, medical records, appointment details, and even diagnoses or billing information, it’s critical that their use of tracking technologies adheres to the HIPAA Privacy and Security Rules. This includes configuring the web pages to limit tracking technologies to permissible uses and disclosures of PHI and securing the collected electronic PHI (ePHI).
Moreover, vendors of tracking technologies are considered business associates when they handle PHI on behalf of a regulated entity for functions covered by HIPAA or when they provide services that involve disclosing PHI. Thus, regulated entities must ensure any PHI disclosures to these vendors comply with the Privacy Rule and establish a business associate agreement (BAA) with them to ensure PHI protection in line with HIPAA standards.
Unauthenticated Pages
On the topic of unauthenticated pages, an interesting thing to note is that the OCR acknowledges in the 2024 update that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a website addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the web page is not related to an individual’s past, present, or future health, health care, or payment for health care.”
However, this can be a bit misleading, as it is important to note that there is no way to know a user’s full intent regarding their visit. The OCR goes on to illustrate some examples:
- A student writing a paper who visits the site for research information would not be considered a disclosure of PHI.
- A student visiting the site to research oncology services to seek a second opinion on treatment options for their brain tumor would be considered a disclosure of PHI.
The big challenge with this is that a regulated entity would have no way to discern the user’s intent when visiting a site. Therefore, it is advisable to continue treating user data, such as IP address, sensitively and with care.
Tracking Technologies
Both bulletins outline that regulated entities may disclose PHI to third parties through tracking technologies , provided that they have properly entered into a business associate agreement with the third party. The bulletin also goes into detail regarding the permissible disclosure of PHI to tracking technologies as a business associate, as long as the proper safeguards are in place and the disclosures made to such vendors are permitted by the Privacy Rule.
For third parties who will not enter a business associate agreement (such as Google or Meta), the OCR suggests entering into a BAA with a customer data platform (CDP) vendor who could function as a middle solution to de-identify PHI before disclosing only de-identified information to the tracking technology vendor.
Additionally, the 2024 update continues the agency’s prior position that website banners seeking acceptance or non-acceptance of data tracking tools do not constitute a HIPAA authorization.
It is important to note that even full compliance with HIPAA does not necessarily guarantee compliance with overlapping federal and state laws. For example, numerous class action lawsuits have been filed under wiretapping statutes. Therefore, it is important to also be aware of and familiar with any new or forthcoming state data privacy laws that may be applicable.
Unlock Health’s Take
While the 2024 update provides some examples and reiterates previous guidance, we believe that it is important to continue to treat this data sensitively, as there is no way to discern a user’s intent when visiting a health-related website — and OCR provides no practical guidance as to how a regulated entity could distinguish the motivations of visitors to an unauthenticated webpage. To ensure your organization is aligned with the current bulletin, we recommend the following steps to further your organization’s compliance:
- Consult with your in-house or outside legal counsel – Maintain a periodic dialog about these and other updates, such as state data privacy laws, to keep active conversations going.
- Review and assess your risk surface area – Data-mapping exercises can help you understand what cookies and other tracking technologies are deployed on your website or other digital properties.
- Understand the 18 HIPAA identifiers – Familiarize yourself and key individuals within your organization with these identifiers. Understand where they may be disclosed to third parties and how a governance plan could help review the sharing of key identifiers in the future.
- Review business associate agreements – Look at agreements with existing vendors, identify where gaps may be for others, and discuss the removal of tracking technologies or other components for vendors that will not complete a business associate agreement.
- Explore remediation solutions – Multiple tools exist to help control data sent to external vendors and can be tailored to your organization’s specific needs.
- Review privacy policies – Ensure any public- or patient-facing privacy policies accurately reflect your organization’s current practices, data collection and tracking technologies.
- Create a compliance and/or data governance workgroup -eview any future tracking technologies or vendors.
Unlock keeps a close eye on updates from the OCR and state regulators, recognizing their significant influence on the digital marketing landscape. Staying informed about these regulatory changes is crucial for developing effective, compliant digital marketing strategies.
For organizations navigating these complex regulations, Unlock offers expertise in digital marketing and regulatory compliance. Our team, coupled with our technology solutions, are ready to help you adapt to these changes, ensuring your marketing efforts are both effective and in line with privacy laws.
Interested in optimizing your digital marketing within the bounds of current regulations? Reach out to Unlock for guidance and support to enhance your strategies and navigate regulatory challenges with confidence.
The thoughts and opinions expressed in this blog post are for informational purposes only and should not be taken as legal advice. The author of this blog post is not a lawyer and does not provide legal services. If you have any legal questions, you should consult with a licensed attorney in your jurisdiction.
References:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html