The Department of Health and Human Services’ Office for Civil Rights (OCR) has released updates on the guidance for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) about online tracking technologies. The updated guidance is designed to offer a better understanding for HIPAA-governed entities on using these technologies. OCR has altered its position on the applicability of HIPAA to these technologies, particularly concerning IP addresses, which OCR has stated are not regarded as PHI all the time.
OCR first published the guidance in December 2022 after learning that most U.S. hospitals had used these technologies on their sites, which transfer user information to third parties like Google, Facebook Meta, and others. Various user data is gathered and transmitted regarding users’ interactions on web pages and apps, and some of that data can consist of protected health information (PHI).
The preliminary guidance discussed that HIPAA-regulated entities cannot use these technologies unless a business associate agreement (BAA) is in place with the provider of the technologies and the disclosures of PHI are allowed by the HIPAA Privacy Law. Alternatively, permission must be obtained from individuals before the data is disclosed to third parties. OCR has formerly mentioned prioritizing enforcement on non-compliant usage of online tracking technologies. In July 2023, OCR and the Federal Trade Commission (FTC) issued warning letters to approximately 130 hospitals and telehealth providers concerning the risks of utilizing these technologies and the possibility of impermissible disclosures of PHI.
OCR Sued for its Tracking Technology Guidance
Because the providers of these technologies usually do not sign BAAs with HIPAA-covered entities and acquiring authorization from individuals is expensive and difficult, these technologies are typically not used by HIPAA-governed entities without likely violation of the HIPAA Guidelines. The American Hospital Association (AHA) advised OCR to reevaluate its guidance. When OCR failed to do so, AHA filed a case challenging the lawfulness of the guidance. The AHA states that these technologies are crucial to the functionality of websites and that forbidding their use inevitably negatively affects healthcare organizations and patients. Also, although HIPAA-covered entities were not authorized to use these technologies, the code continued to be used on many government sites, which include Tricare.mil, Medicare.gov, Health.mil, and different Veterans Health Administration sites.
Online Tracking Technology Guidance Explains the Position of OCR
OCR’s current guidance gives an overview of how the HIPAA Law applies to the tracking technologies and contains illustrations of when the code can and cannot be utilized, suggestions for following HIPAA, and the enforcement priorities of OCR concerning online tracking technologies. In the modified guidance, OCR emphasized that governed entities are not allowed to use tracking technologies in a manner that would bring about impermissible disclosures of PHI to tracking technology suppliers or any other HIPAA Regulations violations. Protected health information pertains to the past, present, or future health, medical care, or payment for health care, that has identifiers that connect that data to an individual or permit that individual to be recognized.
When any of that information is obtained on a web page, the technologies may not be used without a BAA with the company offering the code and the HIPAA Privacy Regulation should authorize the disclosures, or consent ought to be acquired from individuals. Permission cannot be acquired by including details regarding these disclosures in the Notice of Privacy Practices, through a pop-up on the websites or banner saying that usage of the site may disclose health data to a third party, or by asking a visitor to accept or reject cookies. A valid HIPAA authorization is needed.
OCR advises that when a vendor will not sign a BAA covering the usage of the code, then find another vendor that will enter into a BAA. Otherwise, a customer data platform vendor can be utilized, which de-identifies the PHI before sending the data to a third party. It isn’t allowed to transmit PHI to a vendor with no BAA even when the vendor states that they will take out any identifying information following the disclosure. The collection of PHI is more likely on user-authenticated pages like patient portals; nevertheless, there is a probability for PHI to be shared on unauthenticated websites. For instance, on an appointment reservation page that gets no health details, if the user inputs their email address and that data is sent to a third party, that is considered an impermissible PHI disclosure.
For certain web pages, the nature of the visit decides whether HIPAA is applicable. Particularly, the guidance makes clear how IP addresses apply. IP addresses permit the identification of a person and therefore, based on the initial guidance, will be considered as PHI irrespective of the nature of the web page visit. OCR has stated that the nature of the visit is important, which was undoubtedly prompted by the AHA lawsuit. OCR mentioned IP addresses are only PHI in particular situations.
For instance, in case a student is looking for data on oncology services when exploring the availability of those services pre- and post-pandemic, the collection and transmission of their IP address and other personally identifiable information (PII) to a third party without a BAA is not a HIPAA violation, as HIPAA doesn’t apply as no PHI is involved. In case a patient is visiting the same pages to obtain a second viewpoint on their diagnosis or cancer therapy, the transmission of the same information will be a HIPAA violation with no BAA, because that data is categorized as PHI. This is not a big change of position for OCR, it is an explanation of what OCR designed when the guidance was introduced. OCR seems to be explaining that the guidance does not overstretch the meaning of PHI as the AHA lawsuit says, and has been questioned in other lawsuits, it just means that there are possibilities for online tracking technologies to acquire PHI and HIPAA-covered entities for that reason make sure that they carry out safeguards to avoid impermissible disclosures.
OCR mentioned its enforcement priorities concerning online tracking technologies and mentioned it is prioritizing HIPAA Security Rule compliance when investigating the use of online tracking technologies. OCR’s main interest is ensuring that governed entities have recognized, assessed, and mitigated the risks to ePHI when employing online tracking technologies and have put in place the Security Rule requirements to protect the integrity, confidentiality, and availability of ePHI.
The challenge for hospitals is that not much changes with the explanation. Identifying the nature of the visit and whether or not the activities on a website involve or do not include PHI will be close to impossible, consequently, hospitals should not use these technologies, and the problems raised by AHA must still be resolved via legal action.