On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) updated its guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Guidance). OCR’s Guidance was first published on December 1, 2022, and is the subject of a lawsuit brought by the American Hospitals Association challenging OCR’s authority to issue it.

The Guidance is aimed at third-party online tracking technologies such as cookies, pixels, web beacons and software development kits, which are deployed on the websites of HIPAA-covered entities and business associates (collectively, regulated entities) and which collect information from visitors to those websites related to how the visitors interact with the website. Information collected can include visitors’ IP addresses and other potentially identifiable information. Under the original Guidance, OCR outlined circumstances in which a regulated entity’s use of third-party tracking technologies can result in an impermissible disclosure of protected health information (PHI) to that third-party technology vendor under HIPAA, particularly because many such third parties are unwilling to enter into business associate agreements with regulated entities. In response to the original Guidance, many regulated entities, including hospitals and health systems, significantly modified their use of third-party tracking technologies but also continued to have concerns about the scope of the Guidance and its impact on their businesses (due to the ubiquity of tracking technologies across the internet and web-based applications).

While OCR retained much of the original Guidance, the agency made several meaningful revisions, including the following:

  • OCR specifically mentions beneficial uses of tracking technologies, including the use of these technologies to analyze the number of IP addresses that access portions of a regulated entity’s website. Notably, OCR does not expressly state that theuse of tracking technologies in this manner is acceptable under HIPAA.
  • The Guidance allows for the possibility that IP addresses are not always PHI (or Individually Identifiable Health Information (IIHI)) under HIPAA. Specifically, the Guidance states that:

But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care. (Emphasis added).

  • OCR provides several examples in the Guidance of circumstances in which information collected by tracking technologies may or may not be PHI: 
    • Transmission to a tracking technology vendor of a user’s IP address or other identifying information related to the user’s visit to a regulated entity’s job postings or visiting hours webpages would not involve a PHI disclosure, even if there is a reasonable basis to believe the information could identify the user, because such information does not relate to an individual’s health care.
    • If a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because such information is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present and/or future health.
  • OCR clarifies that a third-party tracking technology’s collection of identifying information, such as an email address, on appointment scheduling pages and symptom-checker tools may constitute an impermissible disclosure of PHI by the regulated entity even if such features are available on unauthenticated webpages (i.e., pages that do not require a user to log in).
  • Notably, in the prior Guidance, OCR stated that tracking technologies “generally” do not have access to PHI on unauthenticated webpages and further stated that such unauthenticated webpages include pages describing services provided by regulated entities. Under this new Guidance, OCR has backtracked and removed such service description webpages from its examples of unauthenticated pages. This change, combined with the oncology webpage example described above, suggests that OCR will look to the intent of a website visitor in determining whether identifiable information is PHI. It is unclear how this will be enforced.   
  • In a new section of the Guidance, OCR outlines its enforcement priorities with respect to tracking technologies. OCR states that its primary interest is in ensuring that tracking technologies are addressed in regulated entities’ HIPAA risk assessments and that the risks associated with such technologies have been identified, assessed, and mitigated. OCR is also interested in confirming that regulated entities have appropriately implemented HIPAA security rule requirements related to the confidentiality, integrity, and availability of electronic PHI. Lastly, OCR provides a reminder that all of its investigations are fact-specific, and that OCR will consider all available evidence when assessing a regulated entity’s compliance with HIPAA.

Although the updated Guidance provides additional information for regulated entities to consider in their use of tracking technologies, many questions remain unanswered and confusion on this Guidance is likely to persist. Regardless, regulated entities would be well-served to review their use of third-party tracking technologies on their websites and mobile apps to ensure compliance with their obligations under HIPAA.   

Below is an excerpt of a Robinson+Cole legal update co-authored by Government Enforcement and White-Collar Defense Team co-chair  Seth Orkand and member David Carney.

On March 7, 2024, Deputy Attorney General (DAG) Lisa Monaco announced the contours of a new Department of Justice (DOJ) pilot program (Pilot) offering financial incentives to individual whistleblowers who report certain criminal conduct to the DOJ. This significant announcement came in a speech that emphasized individual accountability for corporate conduct, more significant sanctions for recidivist corporations, expansion of credit for voluntary self-disclosures (VSDs), and a focus on prosecution of misconduct aided by artificial intelligence. (Acting Assistant Attorney General (AAG) Nicole M. Argentieri expanded on DAG Monaco’s comments on March 8, 2024.) As with corporate VSDs, after satisfying other prerequisites, the Pilot—designed to formalize the DOJ’s previously ad hoc approach with something more akin to the whistleblower compensation programs arising from the Dodd-Frank Act—rewards only the first reporter of misconduct, further setting the table for a race to the DOJ. As DAG Monaco said, “When everyone needs to be first in the door, no one wants to be second.”

The Pilot springs from the impact of extant programs, such as the hundreds of millions of dollars in rewards associated with billions of dollars in disgorgement under a similar Securities and Exchange Commission (SEC) program. DAG Monaco highlighted the Dodd-Frank whistleblower programs at the SEC and the Commodity Futures Trading Commission, similar programs at the Internal Revenue Services and the Financial Crimes Enforcement Network, and qui tam actions. However she noted that each of these has limitations, resulting in “a patchwork quilt that doesn’t cover the whole bed.” The DOJ will cover the rest of the bed with a program that “address[es] the full range of corporate and financial misconduct that the Department prosecutes.” Read more.

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a quality standard memorandum (QSO Memo) updating and revising a memorandum it issued on January 5, 2018, to now permit the texting of patient orders among members of the patient’s health care team. CMS’s 2018 memorandum clarified CMS’s then-current position that texting of patient orders did not comply with the hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) regarding medical records. Among other things, the applicable CoPs require hospitals and CAHs to retain medical records in a manner that retains author identification information and protects the security of the records. The CoPs also require that records are promptly completed and filed. In 2018, CMS believed that few hospitals and CAHs had the technological capability to integrate text messages into a patient’s medical record in a manner compliant with the CoPs and the Health Insurance Portability and Accountability Act (HIPAA). As a result, CMS stated that orders should either be handwritten into the medical record or transmitted via computerized provider order entry (CPOE) and placed into the medical record.

In reversing its 2018 guidance, CMS now recognizes advances in technology, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) can enable hospitals and CAHs to comply with the CoPs through the texting of patient orders. CMS cautions hospitals and CAHs that permit texting of orders to ensure that they use secure, encrypted platforms, maintain the integrity of author identification and comply with HIPAA, including the HIPAA security rule. Texted orders must also be promptly filed in the EHR. The CMS expects that hospitals and CAHs will regularly review the security and integrity of their texting platforms.  

While CMS still prefers the use of CPOEs when providers submit patient orders, the QSO Memo allows hospitals and CAHs additional flexibility, subject to the conditions of the QSO Memo, including HIPAA compliance.

On February 8, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule (Final Rule) updating federal “Part 2” regulations to more closely align the requirements applicable to substance use disorder (SUD) treatment records with the HIPAA privacy rule, and to make certain other changes. The regulations at 42 CFR Part 2 have long set forth strict rules governing the uses and disclosures of medical records of certain SUD treatment facilities and programs. HHS is now proposing to scale back those rules slightly, in accordance with statutory changes to federal law governing the privacy of SUD records in the 2020 “CARES Act” legislation enacted in response to COVID-19.[i] This Final Rule follows a proposed rule issued by HHS on December 2, 2022, which we previously analyzed here.

The Final Rule is anticipated to take effect on April 16, 2024 (60 days from the anticipated publication date of February 16). The compliance date by which individuals and entities must comply with the Final Rule’s requirements is February 16, 2026 (except as specifically tolled in the Final Rule).

Below we provide a high-level summary of the changes included in the Final Rule.  We will supplement this analysis in the coming days with additional detailed reviews of certain of these changes referenced below. 

The key updates in the Final Rule include:

  • Consent: A long-standing tenet of the Part 2 regulations was that SUD records could not be used or disclosed without specific patient consent, except in very narrow circumstances.  The Final Rule updates this regulation to allow a patient to give a single, broad consent that covers all future uses and disclosures of Part 2 records for treatment, payment, and health care operations purposes (as defined under the HIPAA privacy rule), subject to certain exceptions (hereinafter, “TPO Consent”). This alignment with the HIPAA privacy rule is an important development to streamline compliance with the previously incongruent consent regimens under the Part 2 and HIPAA regulations across health systems and Part 2 programs (as defined under the Part 2 regulations).
  • TPO Consent Elements: The Final Rule indicates that a valid TPO Consent must have all of the required elements of a valid HIPAA authorization.
  • Redisclosures: The Final Rule newly allows Part 2 programs, as well as HIPAA-covered entities and business associates, who have received Part 2 records in accordance with TPO Consent, to “redisclose the records as permitted by the HIPAA regulations” except in proceedings against a patient requiring a court order or specific written consent, or until the patient revokes the consent.
  • SUD Counseling Notes: The Final Rule revises the definition of “SUD counseling notes” under the Part 2 regulations “to parallel the HIPAA psychotherapy note provisions,” which are subject to heightened confidentiality restrictions under Part 2 and HIPAA, respectively.
  • Segregation/Segmentation of Part 2 Records: The Final Rule states that a Part 2 program, or HIPAA-covered entity or business associate, which receives Part 2 records based on a single TPO Consent, is “not required to segregate or segment such records.” This may be an important clarification for health systems and other entities that rely on integrated and unified electronic health records.
  • Part 2 Record Breaches: Extends applicability of breach notification requirements consistent with those under HIPAA to breaches of Part 2 records.
  • Civil and Criminal Enforcement: The Final Rule incorporates HIPAA’s criminal and civil enforcement authorities into the Part 2 regulations, allowing for imposition of civil money penalties and other sanctions available under HIPAA for Part 2 violations.
  • Accounting of Disclosures: The Final Rule grants patients a new right to request an accounting of disclosures made by a Part 2 program based on a consent, for up to 3 years prior to the date of the accounting. However, the compliance date for this provision is tolled by HHS in the Final Rule until HHS revises the HIPAA privacy rule’s accounting for disclosures regulation to address disclosures through an electronic health record.

The Final Rule represents the latest in a series of efforts by HHS to more closely align HIPAA and Part 2 requirements and processes, in recognition of industry shifts to more integrated and coordinated medical, behavioral health, and SUD care. Health care organizations will need to assess the various provisions of the Final Rule closely to determine their compliance obligations and any necessary operational changes.

We will continue to monitor and track developments related to the Part 2 requirements and implications of this Final Rule.


[i] Coronavirus Aid, Relief, and Economic Security Act, Pub. L. No 116-136, 134 Stat 281 (27 March 2020) (CARES Act) – https://www.congress.gov/116/bills/hr748/BILLS-116hr748enr.pdf (codified in pertinent part at 42 U.S.C. 290dd–2).

This post was co-authored by Blair Robinson, a member Robinson+Cole’s Artificial Intelligence Team.

Artificial Intelligence (AI) has emerged as a major player in the realm of health care, promising to completely transform­ its delivery. With AI’s remarkable ability to analyze data, learn, solve problems, and make decisions, it has the potential to enhance patient care, improve outcomes, and foster innovation in the health care industry. In this blog post, we will delve into the guidance provided by the U.S. Department of Health and Human Services (HHS) regarding the application and development of AI in the health care sector. There is more guidance than one might think.

To address this transformative power of AI and machine learning, the Office of the Chief Artificial Intelligence Officer (OCAIO) has outlined a strategic approach to prioritize the application and development of AI across various HHS mission areas. OCAIO will focus on two major themes in AI adoption:

  1. Pioneering Health and Human Services AI Innovation: HHS will prioritize the application and development of AI and machine learning. This includes regulating and overseeing the use of AI in the healthcare industry and ensuring ethical and responsible implementation. Additionally, HHS aims to fund programs, grants, and research that leverage AI-based solutions to deliver improved outcomes for patients and healthcare providers.
  2. Collaborating and Responding to AI-Driven Approaches within the Health Ecosystem: Recognizing the dynamic nature of the healthcare landscape, HHS will collaborate with external partners, including academia, the private sector, and state, local, tribal, and territorial governments. HHS also aims to identify gaps and unmet needs in health and scientific areas that would benefit from government involvement and AI application.

To ensure effective governance and execution of these initiatives, HHS has established the AI Council and AI Community of Practice. The HHS AI Council plays a pivotal role in supporting AI governance, strategy execution, and the development of strategic AI priorities across the enterprise. Its objectives include effectively communicating and championing HHS’ AI vision and ambition, as well as governing and executing the implementation of the HHS enterprise AI strategy. By aligning efforts and fostering collaboration, the AI Council aims to expand the use of AI throughout the Department.

The AI Council will focus on four key areas to drive the adoption and innovation of AI within the healthcare sector:

  1. Cultivate an AI-ready workforce and foster an AI culture: HHS recognizes the importance of equipping healthcare professionals with the necessary skills to effectively leverage AI. By fostering a robust and responsible AI culture, HHS aims to create an environment that embraces technological advancements and encourages the integration of AI into healthcare practices.
  2. Promote health AI innovation and research and development (R&D): HHS is dedicated to promoting innovation in the healthcare industry through AI. By encouraging R&D, HHS aims to drive advancements in AI technology and its application in healthcare settings.
  3. Democratize foundational AI tools and resources: HHS aims to make foundational AI tools and resources accessible to all stakeholders in the healthcare ecosystem. By democratizing these tools, HHS seeks to empower healthcare providers, researchers, and other stakeholders to leverage AI for improved patient care and outcomes.
  4. Foster trustworthy AI use and development: Trustworthiness is a critical aspect of AI implementation in healthcare. HHS has committed to promoting the responsible and ethical use of AI, ensuring patient privacy, data security, and transparency.

HHS has also published a useful online portal collecting AI Regulations and Executive Orders. Subsequent blog posts will explore the AI Regulations and Executive Orders.

The HHS guidance underscores the significant role of AI in the health care industry and its unwavering commitment to harnessing its potential. By prioritizing the application and development of AI, collaborating with external stakeholders, and establishing effective governance structures, HHS aims to drive innovation, improve patient care, and enhance health outcomes. As AI continues to evolve, its integration into the vast and complex health care ecosystem holds immense promise for the future of health care. Health care organizations, including hospital systems, physician groups, laboratories, and other organizations in the health care industry, should consider following HHS’s guidance to embrace AI in a responsible, ethical, and legal manner.

Click here to learn more about the HHS AI approach. 

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The World Health Organization (WHO) recently published “Ethics and Governance of Artificial Intelligence for Health: Guidance on large multi-modal models” (LMMs), which is designed to provide “guidance to assist Member States in mapping the benefits and challenges associated with the use of for health and in developing policies and practices for appropriate development, provision and use. The guidance includes recommendations for governance within companies, by governments, and through international collaboration, aligned with the guiding principles. The principles and recommendations, which account for the unique ways in which humans can use generative AI for health, are the basis of this guidance.”

The guidance focused on one type of generative AI, large multi-modal models (LMMs), “which can accept one or more type of data input and generate diverse outputs that are not limited to the type of data fed into the algorithm.” According to the report, LMMs have “been adopted faster than any consumer application in history.” The report outlines the benefits and risks of LLMs, particularly the risk of using LLMs in the healthcare sector.

The report proposes solutions to address the risks of using LMMs in health care during development, provision, and deployment of LMMs and ethics and governance of LLMs, “what can be done, and by who.”

In the ever-changing world of AI, this is one report that is timely and provides steps and solutions to follow to tackle the risk of using LMMs.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Below is an excerpt of an article, co-authored with Antitrust and Trade Regulation Team lawyer Jen Driscoll and Internal Investigations and Corporate Compliance chair Ed Heath, published in the American Health Law Association’s Health Law Weekly newsletter on January 19, 2024.

Mergers and acquisitions in health care markets are viewed with heightened scrutiny by the Federal Trade Commission (FTC) and U.S. Department of Justice, Antitrust Division (Division) (collectively, the Agencies). These transactions may require further investigation to determine whether there will be anticompetitive effects, such as higher prices, in the affected market. As part of these investigations, the Agencies may issue civil investigative demands (CIDs) for documents and statements from third parties that do not have direct involvement in the transaction. The CID process can become a protracted and expensive undertaking if it is not properly managed from the outset by experienced counsel. This article provides an overview of current antitrust scrutiny of health care markets, and then offers guidance on how to effectively respond to CIDs in connection with the antitrust enforcement process. Read the full article.

On December 13, 2023, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule entitled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing” and known as “HTI-1” (Final Rule). Among other issues addressed in the Final Rule, ONC revised the information blocking rules to add clarity and to create a new information blocking exception. We outline these changes in further detail below. The information blocking provisions of the Final Rule will be effective 30 days after it is published in the Federal Register.

Continue Reading ONC’s HTI-1 Final Rule Updates Information Blocking Regulations

On November 15, 2023, the U.S Department of Justice (DOJ) announced a $45.6 million consent judgment (Settlement) with six skilled nursing facilities (SNFs), as well as the owner of the SNFs and its management company which managed the SNFs, to resolve alleged violations of the False Claims Act (FCA) tied to medical director arrangements violating the Anti-Kickback Statute (AKS). The Settlement is notable for its inclusion of the owner and the management company in addition to the SNFs, which indicates DOJ’s interest in scrutinizing the actions of individuals and management entities in connection with problematic arrangements under federal fraud and abuse laws.

Continue Reading DOJ Settlement Targets Owner and Management Company in Addition to Post-Acute Care Facilities

On October 31, 2023, the Office for Civil Rights (OCR) issued a press release announcing that it has settled with Doctors’ Management Services for $100,000 following a ransomware attack that compromised the protected health information of 206,695 individuals.

According to the press release, “this marks the first ransomware agreement OCR has reached.”  The facts underlying the settlement include that Doctors’ Management Services was infected with GandCrab ransomware in April of 2017, but the intrusion was not detected until December of 2018. Doctors’ Management Services filed a breach report in April of 2019.

The OCR says that it found evidence that Doctors’ Management Services failed to implement a risk analyses to detect risks and vulnerabilities to protect health information including insufficient monitoring or its systems to protect against a cyber attack and a failure to implement requirements of HIPAA to protect the data.

In addition to the $100,000 settlement, Doctors’ Management Services is required to implement a corrective action plan.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.