OCR Revises Online Tracking Technology Guidance for HIPAA-Regulated Entities

HIPAA Compliance Software

The HHS’ Office for Civil Rights has updated its guidance for HIPAA-regulated entities on the use of online tracking technologies such as Meta Pixel and Google Analytics. OCR released its first guidance in December 2022 after OCR became aware that these technologies were being used by many U.S. hospitals on their websites and apps and the code snippets were collecting protected health information and transmitting that information to third parties in violation of the HIPAA Rules.

OCR has faced criticism since releasing the guidance in 2022. These technologies are extensively used on websites and they are critical to how certain website features function. The technologies provide healthcare organizations with valuable information on how their websites and apps are being used, and that information can be used to make improvements to the websites and apps to benefit patients. The American Hospital Association (AHA) has called for OCR to drop the guidance and, after no response was received, took legal action to prevent OCR from enforcing the guidance.

The update to the guidance is a likely response to the legal action. OCR has clarified that these tracking technologies have not been banned and can be used by healthcare organizations and that there are benefits to using these code snippets on websites; however, care must be taken due to the potential of these technologies to transmit information that is protected under HIPAA. OCR explained that HIPAA-regulated entities are not permitted to use tracking technologies in a manner that would result in an impermissible disclosure of electronic protected health information (ePHI) to tracking technology vendors or any other violation of the HIPAA Rules.

Since the vendors of these tools are classed as business associates under HIPAA, a HIPAA-compliant business associate agreement must be obtained from the vendor before these technologies are used anywhere where they can ‘touch’ ePHI, and any sharing of ePHI must be permitted by the HIPAA Privacy Rule. If not, consent must be obtained in the form of a valid HIPAA authorization in advance. Regarding those authorizations, it is not sufficient to add these disclosures to the Notice of Privacy Practices, banners advising users that any information entered on the websites may be transmitted to third parties do not constitute valid authorizations, nor do users rejecting or accepting cookies.

This advice has not changed since the initial guidance, but one area that has changed regards IP addresses. In the initial guidance, OCR indicated that the collection and transmission of IP addresses constituted a disclosure of ePHI, regardless of context. OCR’s position now is that IP addresses are only classed as ePHI in certain circumstances. If an individual is visiting a website in relation to their past, present, or future healthcare or payment for health care, then their IP address is an identifier that makes the information disclosed individually identifiable health information (IIHI), which is a precondition for information to meet the definition of ePHI.

“IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services, explained OCR in the guidance. “But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

OCR confirmed that tracking technologies behind user-authenticated pages, such as patient portals, generally have access to PHI, so any tracking technologies on these pages must be used in a manner compliant with the HIPAA Rules. A BAA is required, and any disclosure must be permitted by the HIPAA Privacy Rule unless a HIPAA authorization is obtained. OCR explained that tracking technologies on unauthenticated webpages often have no access to ePHI, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures. In these cases, the pages do not have access to PHI and are therefore not regulated by the HIPAA Rules.

If a webpage may have access to PHI, then the HIPAA Rules apply. “Regulated entities that are considering the use of online tracking technologies should consider whether any PHI will be transmitted to a tracking technology vendor, and take appropriate steps consistent with the HIPAA Rules,” explained OCR. OCR provides several examples in the guidance on when online tracking technologies are covered by HIPAA and when they are not. For instance, “Where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s protected health information to an online tracking vendor.”

An example of where ePHI is collected and transmitted and is therefore subject to the HIPAA Rules was provided. “If an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future healthcare.”

OCR explains regulated entities’ compliance obligations and OCR’s enforcement priorities. OCR said it will be prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies, in particular, whether regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI.

“The fact that the HHS Office for Civil Rights has modified its Bulletin in response to our lawsuit concedes that the original Bulletin was flawed as a matter of law and policy,” commented AHA general counsel and secretary, Chad Golder. “Unfortunately, the modified Bulletin suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review. The modified rule will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/