In December 2022, the Department of Health and Human Services’ Office for Civil Rights (OCR) released “guidance” on the use of tracking technologies, which took an overboard approach to the use of basic website analytics tools (2022 Guidance). Courts criticized OCR’s 2022 Guidance, and last fall, the American Hospital Association sued OCR, alleging agency overreach.
On March 18, 2024, OCR released revised guidance that attempts to address concerns about overbreadth (Revised Guidance). While the Revised Guidance tempers some of the overreach in the 2022 Guidance, it retains the notion that a potential future patient’s visit to a covered entity’s site could generate individually identifiable health information.
Background
For the background on the events that prompted the 2022 Guidance, an explanation of tracking technologies and an analysis of the 2022 Guidance, refer to “The Pixel Problem: Tracking Technologies and OCR’s Guidance.”
Changes Related to Unauthenticated Webpages
The bulk of the substantive revisions are in the section of the guidance related to unauthenticated webpages — publicly accessible webpages that do not require a visitor to log in. ORC clarified that visits to such pages do not necessarily disclose Protected Health Information (PHI) to tracking technology vendors unless the vendor has “access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.”
Examples Related to Website Visitors
The Revised Guidance offers an example about visiting a hospital’s webpage for job postings or visiting hours, explaining that identifying information (e.g., IP address or geographic location) collected from those visits is not PHI. In another example, information about a student’s visit to a hospital website to collect information for a research paper similarly is not PHI.
However, in a third example, OCR concludes that identifying information collected from an individual’s visit to a hospital webpage seeking information about obtaining a second opinion for cancer treatment constitutes PHI. This is disappointing.
First, there continues to be no basis for concluding that information about an individual with whom the covered entity has no relationship could be PHI. Second, the difference in the examples rests entirely on the intent of the visitor. Since a covered entity cannot discern the purpose for a visit to the site, it would be compelled to treat all visitors as those seeking future care.
Example Regarding Appointment Scheduling or Use of a Symptom-Checker Tool
OCR clarifies that scheduling an appointment or using a symptom-checker tool on an unauthenticated webpage may result in the collection and disclosure of PHI. In its example, “tracking technologies might collect an individual’s email address, or reason for seeking health care typed or selected by an individual, when the individual visits a regulated entity’s webpage and makes an appointment with a health care provider or enters symptoms in an online tool to obtain a health analysis.” If such information is shared with a tracking technologies vendor, HIPAA rules would apply (e.g., business associate agreement and marketing prohibitions).
This represents a notable softening of the language in the 2022 Guidance regarding webpages that address specific symptoms or health conditions.
So, What Now (Revised)?
Regulated entities should assess their sites to determine the types of third-party tracking technologies used and how they function.[i] OCR added an “Enforcement Priority” section to the Revised Guidance making clear that tracking technologies enforcement is a priority.
Given OCR’s focus on this issue, it may be best to disable any social media tracking technologies existing on any page that falls within the examples discussed above. Also, assess the business need for tracking technologies and eliminate third-party tracking technologies that do not serve an essential function.
Next, ensure that the patient portal or its log-in pages contain no third-party tracking technologies. Similarly, ensure that appointment scheduling pages or any pages on which the user provides identifying information do not use tracking technologies.
For those pages where third party tracking technologies remain, assess the following:
- What data is shared with the tracking technology vendor, and is sharing such data necessary?
- Is such sharing permitted under HIPAA for treatment, payment or healthcare operations? Sharing for marketing purposes or the third party’s own use is not permitted and requires a patient’s written authorization.
- If HIPAA permits the disclosure to a third-party vendor as a business associate for treatment, healthcare operations or payment, is there a business associate agreement in place with the vendor?
Where third-party tracking technologies remain in use, ensure that the privacy notice on the website discloses the use of such trackers. Further, regulated entities must include the use of tracking technologies in their risk analysis, which the HIPAA Security Rule requires.
[i] The Markup, one of the media outlets that broke the pixel story, offers a free tool to assess the use of trackers on a website. It is a good starting point.