OCR’s Update on Online Tracking Guidance Still Tricky
The Office for Civil Rights (OCR) recently updated its December 2022 bulletin regarding the use of third-party tracking technologies by HIPAA-regulated entities “to increase clarity for regulated entities and the public.” However, the clarity is questionable.
The updated bulletin potentially raises more questions than it answers, says Angela Matney, JD, counsel with the Reed Smith law firm in Washington, DC. Based on the updated guidance, covered entities and business associates may be required to know the subjective intent of visitors to certain webpages, she says. (The updated guidance is available online at https://bit.ly/3VSHfSI.)
If this intent cannot be determined, which Matney says almost always will be the case, regulated entities may choose to treat all identifiable information collected through these webpages as protected health information (PHI).
The guidance addresses the use of cookies, pixels, and other website analytics tools that may violate HIPAA by exposing PHI.
“This has implications for regulated entities’ use of tracking technologies, including those designed to help improve patient experiences and to provide beneficial information to help allocate resources based on the needs of different populations,” she says.
The updated guidance comes after the American Hospital Association (AHA) and others sued OCR over the rule restricting the use of third-party technologies. (The lawsuit is available online at https://bit.ly/3UJEx0X.) Chad Golder, AHA general counsel and secretary issued a statement after the updated guidance, saying “The fact that the HHS Office for Civil Rights has modified its Bulletin in response to our lawsuit concedes that the original Bulletin was flawed as a matter of law and policy. Unfortunately, the modified Bulletin suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review.”
Matney explains that the portion of the bulletin at issue in the AHA suit concerned “unauthenticated webpages,” defined in the bulletin as “webpages that are publicly accessible without first requiring a user to log in to such webpage.” OCR acknowledges in the updated bulletin that tracking technologies on certain webpages (such as a webpage that provides information about job postings or visiting hours) do not collect PHI, she says.
“But according to the updated bulletin, if a visit to a regulated entity’s website relates to an individual’s health, health are, or payment for healthcare, the use of third-party trackers results in a disclosure of PHI,” Matney says. “This suggests that a covered entity or business associate will need to have insight into the user’s subjective intent for visiting these webpages if it plans to treat information collected through trackers as anything other than PHI.”
Examples in the updated bulletin would seem to support this interpretation, Matney says. The bulletin considers two hypothetical visits to a hospital’s page listing its oncology services. The bulletin states that if a student visited the page while writing a term paper on the changes in the availability of oncology services before and after the COVID-19 pandemic, information collected by tracking technologies would not be PHI, even if it identified the student, Matney notes.
On the other hand, if an individual visited that same webpage seeking a second opinion on treatment options for their brain tumor, identifiable information relating to the individual’s healthcare would be PHI according to the guidance, she says. The individual’s reason for visiting the webpage would seem to be the determining factor.
“Because HIPAA-regulated entities are not in a position to know why a particular individual visits a webpage, they may choose to mitigate risk by treating all information collected through certain webpages as PHI. This means that they may have to completely discontinue the use of third-party trackers on these pages or only use trackers from vendors who will enter into HIPAA-compliant business associate agreements,” Matney says. “Traditionally, many providers of popular analytics tools have refused to sign business associate agreements (BAAs), so covered entities and business associates may have limited options if they wish to use tracking tools for purposes such as improving patient experiences or helping determine how to allocate resources based on patient needs in different geographic locations.”
No Useful Changes
Unfortunately, the new guidance made no real substantive changes to the original guidance, says Kristen Rosati, JD, an attorney with the law firm of Coppersmith Brockelman in Phoenix, AZ. It seems OCR is digging in its heels, she says, with no immediate regulatory relief in sight, while healthcare organizations struggle to comply with the guidance without impacting website functionality and operations too much.
Unfortunately, the use of online tracking by healthcare organizations carries significant risk, says Erin Dunlap, JD, an attorney with the Coppersmith Brockelman law firm in Phoenix, AZ. Regarding regulatory risk, both OCR and the Federal Trade Commission (FTC) have issued guidance on online tracking that set difficult standards to meet, she says. They have initiated investigations and issued joint “warning” letters to approximately 130 hospital systems and telehealth providers regarding the use of online tracking.
The FTC has imposed penalties against numerous parties related to online tracking, Rosati says, and the regulatory attention isn’t limited to the feds: State attorneys general also are initiating investigations related to online tracking under their state consumer data privacy laws and/or state health information confidentiality laws, she says.
There also is litigation risk, Rosati notes. Numerous lawsuits, including several class actions, have been filed against third-party tracking vendors, hospital systems, and telehealth providers over the disclosure of website user data through online tracking. Financial risk comes into play because cyber liability insurers are issuing detailed requests for information to healthcare organizations to explain their use of online tracking, raising concerns about increases in insurance premiums, Rosati says.
“We had a small glimmer of hope that OCR would revisit its guidance when the American Hospital Association filed a lawsuit against OCR on Nov. 3, 2023, challenging OCR’s original guidance on the use of online tracking,” she says. “Unfortunately, OCR did not make significant revisions in response to the AHA lawsuit. The March 2024 guidance slightly retracted OCR’s original position on IP addresses, stating IP addresses may constitute PHI ‘in some circumstances.’”
The guidance says that the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing healthcare providers is not a sufficient combination of information to constitute PHI if the visit to the webpage is not related to an individual’s past, present, or future health, healthcare, or payment for healthcare, Dunlap explains.
“This is not a workable distinction, as HIPAA regulated entities will not know the intent of a website user,” Rosati says.
The updated guidance also encourages the use of a customer data platform (CDP), which OCR defines as “software that can combine data from multiple sources regarding customer interactions with a company’s online presence to support a company’s analytic and customer experience analysis.” OCR explained that CDP vendors may be willing to sign business associate agreements and de-identify online tracking data before sending it to online tracking vendors like Google or Facebook, Dunlap says.
“We agree that the use of a CDP or ‘middlemen’ vendors is helpful for HIPAA-regulated entities to maintain some analytical capabilities to determine whether their marketing efforts through social media platforms are effective,” she says. “But we have noted that HIPAA regulated entities need to ‘kick the tires’ to make sure the CDP vendors are appropriately de-identifying data before sending data to online tracking vendors.
In addition, Rosati notes that these vendors can be expensive and may be cost prohibitive for some organizations.
Address in Risk Analysis
OCR’s updated guidance also made clear that HIPAA-regulated entities should address the use of tracking technologies in their risk analysis and risk management process, she says, with OCR saying it is “prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.”
“This is a big heads up to HIPAA-regulated entities to accelerate their internal analysis on the use of online tracking and to integrate any remaining online tracking into the HIPAA security risk assessment process,” Rosati says.
(See the story on p. 3 for Rosati and Dunlap’s recommendations for responding to OCR’s guidance.)
OCR’s updated guidance only made matters worse for covered entities, says Jeremy Mathis, vice president of client success with Fathom, a digital marketing agency based in Cleveland, OH, that works with health systems across the country, and former communications and social media strategist at University Hospitals in Cleveland.
“The OCR’s update sought to ‘increase clarity for regulated entities and the public’ but did nothing of the sort,” he says. “If anything, the update further muddied the waters by failing to provide practical guidance.”
The examples shared require a healthcare system to discern an individual’s motivations for visiting a web page, and that’s just not realistic, he says. “If a student is visiting your website to inform research, you can track. If a patient is visiting your website for a second opinion on a procedure, you can’t track,” Mathis says. “The trouble is, it’s the same website for both visitors. And creating that truly individual and tailored, visitor-specific experience would require systems to invest resources that, frankly, are better allocated to delivering patient care.”
Mathis recommends the most conservative approach: HIPAA-covered entities should not use tracking on their websites unless they’ve signed a BAA with the platform. That’s been his firm’s recommendation to clients since 2022, and that will continue to be their recommendation until court cases are settled and actual clarity is available, he says. “This, of course, limits the toolset health systems have available to reach, engage, and measure. No Google Analytics 4 tracking, no Meta pixel. They won’t sign a BAA,” Mathis says. “There is a host of tools that just aren’t available for this specific group right now. As a result, systems and their partners have invested a significant amount of time and resources to pivot strategies and ensure the needs of their communities continue to be met.”
Sources
- Erin Dunlap, JD, Coppersmith Brockelman, Phoenix. Telephone: (314) 255-5988. Email: [email protected].
- Angela Matney, JD, Reed Smith, Washington, DC. Telephone: (202) 414-9343. Email: [email protected].
- Jeremy Mathis, Vice President of Client Success, Fathom, Cleveland, OH. Telephone: (216) 369-2220.
- Kristen Rosati, JD, Coppersmith Brockelman, Phoenix. Telephone: (602) 381-5464. Email: [email protected].
The Office for Civil Rights (OCR) recently updated its December 2022 bulletin regarding the use of third-party tracking technologies by HIPAA-regulated entities “to increase clarity for regulated entities and the public.” However, the clarity is questionable.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.