OCR Updates Guidance on HIPAA and Online Tracking, But New Examples Lead to New Questions

On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) revised its controversial guidance on how HIPAA applies to the use of online tracking on regulated entities' public webpages. OCR first issued the guidance on December 1, 2022, after which health care providers across the country had to assess and revise their websites. The American Hospital Association and others filed a complaint against OCR seeking a declaratory judgment that the original OCR guidance exceeded OCR's statutory and constitutional authority.

OCR's subsequent revisions to the guidance provide new examples of what HIPAA permits and prohibits with respect to the use of online tracking technologies. But these examples highlight a problem with the original guidance, as regulated entities still may find it impossible to distinguish between what is and is not a disclosure of protected health information (PHI) subject to HIPAA.

For example, the revised guidance states:

• If a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital's webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.

• However, if an individual were looking at a hospital's webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual's IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual's health or future health care.

The difficulty here is that when a user visits a hospital's webpage listing the oncology services provided by the hospital, the hospital likely has no way of knowing whether the user is doing so to write a term paper about cancer or to seek a second opinion on a brain tumor. Where a hospital is uncertain as to the intentions of the user visiting the webpage, the guidance is not clear on whether the hospital can safely take the position that the information associated with that user's webpage visit is not PHI subject to HIPAA.

The revised guidance also notes OCR's enforcement priorities with respect to online tracking technologies. OCR states that it is prioritizing compliance with the HIPAA Security Rule when investigating the use of online tracking technologies and that its principal interest is ensuring that regulated entities have identified, assessed, and mitigated the risks of improper disclosure of electronic PHI when tracking users of its public webpages. This is surprising, since the guidance seems primarily focused on privacy issues, such as whether a covered entity is disclosing PHI generated from its website to business associates without a business associate agreement or a permissible basis. OCR's enforcement focus on the Security Rule, however, indicates that covered entities and business associates should prioritize verifying that the risk of impermissible disclosures of PHI generated by tracking technologies on their websites is assessed and addressed in their Security Rule risk analyses and risk management plans.

For the reader's convenience, linked here is a comparison showing changes to OCR's guidance. If you have questions or need additional assistance, please contact the author or the DWT attorney with whom you normally work.