HIPAA Update: OCR Updates Bulletin on Website Tracking Tools

On March 18, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) revised its December 1, 2022 Bulletin on website tracking tools. [The December 2022 version is available here, and we can provide a redlined version upon request.]

Did OCR significantly alter their previous guidance?

No. According to the updated Bulletin, generally speaking, covered entities should avoid using online tracking tools: in a patient portal, on a login page for a patient portal, on any webpages where patients can schedule appointments, in any health care tools (e.g., a symptom-checker tool), and on any webpages where patients can search for doctors/specialties and other health-related information. Unfortunately, whether the sharing of identifiable website activity with a third-party vendor constitutes a Health Insurance Portability and Accountability Act of 1996 (HIPAA) disclosure depends on the website visitor’s intent, which is something the health care provider cannot know. The Bulletin uses one example of a student who visits the website to perform research. The intent there is not to obtain or provide information related to the individual’s own health, so HIPAA would not apply to the sharing of that individual’s website activity with a third party. In contrast, HIPAA would apply to the sharing of identifiable website activity of an individual seeking health care. But the health care provider (website owner) does not know the visitor’s intent and so it cannot tailor the technology for each type of visit.   

Did OCR change its position on mobile apps?

Yes. OCR retreated from its previous position that the data collected by regulated entities’ mobile apps are always protected health information (PHI)—such data is now just “generally” PHI.

Is there any good news for health care providers who use tracking technology in their websites and mobile applications?

Yes. OCR clarified that an IP address tied to visiting a specific page or taking a specific action is not, alone, PHI. There must be a connection to an individual’s health, health care, or payment for such care. This position walks back OCR’s previously more stringent position that a mere visit to a webpage is indicative of care, and thus presumptively should be considered a visit for the purpose of obtaining/providing information about the individual’s health, health care, or payment for such care.

Does a health care provider need to revisit its HIPAA breach assessment?

The updated Bulletin does not change the analysis in a way that would increase the likelihood of treating the use of tracking tools as a data breach. 

What if my analytics provider will not agree to a business associate agreement (BAA)?

The Bulletin suggests engaging a vendor—such as a Customer Data Platform (CDP) company—via a BAA to de-identify website data before passing it along to tracking tool vendors who refuse to enter into BAAs. CDP vendors can combine data from multiple sources regarding customer interactions with a company's online presence to support their analytics in a HIPAA-compliant manner.

How does the revised Bulletin impact class action lawsuits against health care providers based on their use of online tracking tools?

The Bulletin provides significant ammunition to health care providers defending class action lawsuits because it demonstrates why class certification is not appropriate. The number of fact-specific inquiries a court must make with respect to each webpage and each visitor will provide strong grounds to challenge commonality/predominance, typicality, ascertainability, and adequacy. Some of the individual inquiries highlighted by the Bulletin include:

  • which pages were using a tracking tool;
  • what information is shared with third-party vendors as a result of the tool (is it just an IP address and limited URL information, or are unique identifiers and health-related information included?);
  • what was the visitor’s behavior on the page (did they provide health-related information?); and
  • what was the website visitor’s intent when visiting the site (were they a student, researcher, patient, or visiting a loved one?).

Did the Bulletin clarify OCR’s enforcement priorities?

Yes. OCR said it will prioritize security rule compliance when addressing online tracking technologies (e.g., addressing the risks and implementing necessary safeguards).

How much deference should be given to the updated guidance?

OCR did not say it is starting formal rulemaking on the topic. So, for now, the guidance is not entitled to deference and is only instructive to the extent it is persuasive. Kurowksi v. Rush, No. 22 C 5380, 2023 WL 4707184 at *3-*4 (N.D. Ill. July 24, 2023); see also Christensen v. Harris Cnty., 529 U.S. 576, 587 (2000) (explaining interpretations contained in agency statements/guidelines lack the force of law and “are entitled to respect . . . only to the extent that those interpretations have the power to persuade” (internal quotations omitted)).