On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) updated its guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Guidance). OCR’s Guidance was first published on December 1, 2022, and is the subject of a lawsuit brought by the American Hospitals Association challenging OCR’s authority to issue it.

The Guidance is aimed at third-party online tracking technologies such as cookies, pixels, web beacons and software development kits, which are deployed on the websites of HIPAA-covered entities and business associates (collectively, regulated entities) and which collect information from visitors to those websites related to how the visitors interact with the website. Information collected can include visitors’ IP addresses and other potentially identifiable information. Under the original Guidance, OCR outlined circumstances in which a regulated entity’s use of third-party tracking technologies can result in an impermissible disclosure of protected health information (PHI) to that third-party technology vendor under HIPAA, particularly because many such third parties are unwilling to enter into business associate agreements with regulated entities. In response to the original Guidance, many regulated entities, including hospitals and health systems, significantly modified their use of third-party tracking technologies but also continued to have concerns about the scope of the Guidance and its impact on their businesses (due to the ubiquity of tracking technologies across the internet and web-based applications).

While OCR retained much of the original Guidance, the agency made several meaningful revisions, including the following:

  • OCR specifically mentions beneficial uses of tracking technologies, including the use of these technologies to analyze the number of IP addresses that access portions of a regulated entity’s website. Notably, OCR does not expressly state that theuse of tracking technologies in this manner is acceptable under HIPAA.
  • The Guidance allows for the possibility that IP addresses are not always PHI (or Individually Identifiable Health Information (IIHI)) under HIPAA. Specifically, the Guidance states that:

But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care. (Emphasis added).

  • OCR provides several examples in the Guidance of circumstances in which information collected by tracking technologies may or may not be PHI: 
    • Transmission to a tracking technology vendor of a user’s IP address or other identifying information related to the user’s visit to a regulated entity’s job postings or visiting hours webpages would not involve a PHI disclosure, even if there is a reasonable basis to believe the information could identify the user, because such information does not relate to an individual’s health care.
    • If a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because such information is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present and/or future health.
  • OCR clarifies that a third-party tracking technology’s collection of identifying information, such as an email address, on appointment scheduling pages and symptom-checker tools may constitute an impermissible disclosure of PHI by the regulated entity even if such features are available on unauthenticated webpages (i.e., pages that do not require a user to log in).
  • Notably, in the prior Guidance, OCR stated that tracking technologies “generally” do not have access to PHI on unauthenticated webpages and further stated that such unauthenticated webpages include pages describing services provided by regulated entities. Under this new Guidance, OCR has backtracked and removed such service description webpages from its examples of unauthenticated pages. This change, combined with the oncology webpage example described above, suggests that OCR will look to the intent of a website visitor in determining whether identifiable information is PHI. It is unclear how this will be enforced.   
  • In a new section of the Guidance, OCR outlines its enforcement priorities with respect to tracking technologies. OCR states that its primary interest is in ensuring that tracking technologies are addressed in regulated entities’ HIPAA risk assessments and that the risks associated with such technologies have been identified, assessed, and mitigated. OCR is also interested in confirming that regulated entities have appropriately implemented HIPAA security rule requirements related to the confidentiality, integrity, and availability of electronic PHI. Lastly, OCR provides a reminder that all of its investigations are fact-specific, and that OCR will consider all available evidence when assessing a regulated entity’s compliance with HIPAA.

Although the updated Guidance provides additional information for regulated entities to consider in their use of tracking technologies, many questions remain unanswered and confusion on this Guidance is likely to persist. Regardless, regulated entities would be well-served to review their use of third-party tracking technologies on their websites and mobile apps to ensure compliance with their obligations under HIPAA.