Healthcare , HIPAA/HITECH , Industry Specific
Tracker Backtrack? Feds Revise HIPAA Guidance on Web Tools
Facing AHA Lawsuit, HHS Tempers 2022 Warning About Tracking IP Addresses, Other PHIFederal regulators have issued updated guidance about web trackers on patient portals or other health-related websites, saying that collecting and disclosing certain information - such as device IP addresses - does not necessarily pose HIPAA violations under some circumstances.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
The Department of Health and Human Services' Office for Civil Rights on Monday reiterated that regulated entities are still not permitted to use tracking technologies in a manner that would result in impermissible disclosures of electronic protected health information to tracking technology vendors or any other violations of HIPAA Rules.
The updated guidance replaces controversial guidance that HHS OCR issued in December 2022 and that appeared to warn that the use by HIPAA-regulated entities of online trackers - such as Meta Pixel - that collect and transmit certain individually identifiable health information, including IP addresses, more broadly constituted potential HIPAA violations (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
"OCR addressed one of the more significant questions regarding its initial guidance - whether the collection of any IP address through tracking technologies on a regulated entity's website, regardless of context, constitutes the collection and sharing of PHI," said attorney Phillip Davis of the law firm Hall Render.
"They have clarified now that not every IP address is PHI. An IP address may be PHI only in certain circumstances when an individual is visiting the website in relation to their past, present or future healthcare," he said.
HIPAA-regulated entities need to understand that OCR has not changed its position that an IP address can be considered PHI, Davis said.
"Rather, they clarified that the intention of the website visitor is what matters when making that determination. If an individual is accessing a site or using an app for information regarding their own healthcare needs while using their own device, the collection of that individual's IP address is still considered PHI in OCR's mind."
Last July, HHS OCR and the Federal Trade Commission sent letters to about 130 hospitals and telehealth firms warning that the use of web trackers on their websites and mobile apps was in potential violation of HIPAA or FTC regulations (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
HHS OCR officials last summer also said they were actively investigating the use of web trackers by covered entities and business associates and that the agency expected to soon issue its first HIPAA enforcement actions in such cases. So far, that hasn't happened (see: HHS OCR Leader: Agency Is Cracking Down on Website Trackers).
The amended HIPAA guidance comes as HHS OCR faces a federal lawsuit filed in November by the American Hospital Association and three other organizations seeking to have the agency rescind or amend its earlier guidance that more broadly warned that the use of online trackers by hospitals potentially violates HIPAA rules (see: AHA Sues Feds Over Privacy Warning About Web Tracker Use).
HHS OCR did not immediately respond to Information Security Media Group's request for comment on the agency's updated guidance.
Chad Golder, general counsel of the AHA, said in a statement to ISMG that the modified guidance in response to the groups' lawsuit "concedes that the original bulletin was flawed as a matter of law and policy."
Even so, Golder said, HHS OCR's updated guidance "suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review."
"The modified rule will continue to chill hospitals' use of commonplace technologies that allow them to effectively reach patients in need. We look forward to resolving this issue once and for all in court, so that the federal government can no longer tie hospitals' hands as trusted messengers of reliable healthcare information."
Web Tracker Scenarios
HHS OCR's revised guidance provides examples of when visitors to authenticated websites - such as patient portals, in which users must log in - and visitors to unauthenticated websites that do not require logging in - such as a general webpage of a regulated entity, such as a hospital - may or may not pose potential HIPAA violations based on the type of user information collected by trackers.
For instance, "where a user merely visits a hospital's webpage that provides information about the hospital's job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user's IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual's protected health information to an online tracking vendor," HHS OCR wrote.
"This is true even if there is a reasonable basis to believe that the information can be used to identify the user who visited the webpage, because the online tracking technologies in this example did not have access to information about an individual's past, present or future health, healthcare, or payment for healthcare," HHS OCR wrote.
"However, if an individual were looking at a hospital's webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual's IP address, geographic location or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual's health or future healthcare."
HHS OCR's updated guidance acknowledged that the use of trackers by some regulated groups such as hospitals can be used to provide insights for "beneficial" purposes, such as helping the provider improve care or the patient experience, the utility of web pages and apps, or allocate resources.
"For example, hospitals might use data analytics to determine how many IP addresses accessed webpages providing information about COVID-19 vaccines or treatment in a particular area, which in turn could help the hospitals make decisions about how to allocate their medical and other resources," HHS OCR said.
"However, this tracking information could also be misused to promote misinformation, identity theft, stalking and harassment."
Confusing Messages
HHS OCR's updated bulletin provides some clarification about what has been "highly unclear and confusing guidance to date," said privacy attorney Kirk Nahra of the law firm WilmerHale.
"There is certainly some usefulness to the updated guidance - for example, clarifying that not all activity on unauthenticated web site involves PHI. At the same time, the guidance remains confusing and troubling," he said.
While the revisions to the guidance provide some additional helpful examples, they "do not alter the legal analysis related to the HIPAA Privacy Rule or HHS OCR's approach to the policy issues involved here," said privacy attorney Iliana Peters of the law firm Polsinelli.
"I personally do not agree with this policy approach with regard to unauthenticated websites, as I do not agree with HHS that users of public-facing websites subject to online privacy policies and terms of use - under the FTC’s jurisdiction - contemplate the types of privacy protections required by OCR in this guidance, particularly given OCR's approach in other similar circumstances, such as with regard to appointment reminder postcards."
Nahra said that HHS OCR's initial guidance "served as the basis for many class action lawsuits primarily because of the guidance itself, and not because of any actual disclosure to a third party beyond a service provider and/or cognizable harm. I don't see that this updated guidance will provide new clarity there."
Facebook parent Meta faces a proposed consolidated class action in a California federal court alleging it violated privacy law by collecting patient information via its Pixel tracker, including data on doctors, conditions and appointments (see: Judge Denies Meta's 2nd Try to Dismiss Pixel Privacy Case).
Besides Meta's litigation, several U.S. healthcare organizations are facing similar proposed class action lawsuits involving privacy concerns over their current or previous use of online trackers on their websites and patient portals.
In January, North Carolina-based healthcare system Novant Health agreed to pay $6.6 million to settle a consolidated class action lawsuit involving its use of tracking tools on its websites and patient portals (see: NC Health System Agrees to Pay $6.6M in Web Tracking Case).
HHS OCR's updated guidance states that the agency is still prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.
"OCR's principal interest in this area is ensuring that regulated entities have identified, assessed and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity and availability of ePHI."
OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity's use of any tracking technologies, the agency said.