In December of 2022, HHS issued online tracking technology guidance. The guidance provided instructions for HIPAA-covered entities on how to use tracking technologies to gather information about users and their actions, as the users interacted with a website or mobile app. Notably, the guidance provided that the HIPAA Privacy Rule applies to HIPAA-covered entities in circumstances when an online technology connects (1) an individual’s IP address with (2) a visit to an unauthenticated public webpage addressing specific health conditions or providers. In these circumstances, the guidance provided that an IP address constituted individually identifiable health information to which the HIPAA Privacy Rule applied.
The American Hospital Association (AHA) then sued HHS, arguing that HHS exceeded the scope of its regulatory authority through issuance of this guidance. In June of 2024, a federal District Court declared this portion of the guidance to be unlawful. On August 19, 2024, HHS filed a Notice of Appeal, announcing its intent to formally appeal the online tracking technology court order. HHS then did an about-face; on August 29, 2024, HHS voluntarily withdrew its appeal of the online tracking technology court order. HHS is no longer appealing the decision of the District Court. The online tracking technology court order now stands as law.
The Response to the Appeal of the Online Tracking Technology Court Order
Understandably, the American Hospital Association’s response to the appeal withdrawal has been one of elation. AHA General Chad Golder, in a statement shared with the media, noted: “The American Hospital Association is pleased that the Office for Civil Rights has decided not to appeal the district court’s decision vacating the new rule adopted in its Online Tracking Technologies Bulletin. As the AHA repeatedly explained to OCR —both before and after OCR forced the AHA to file its lawsuit — this rule was a gross overreach by the federal government, imposed without any input from healthcare providers or the general public. Now that the Bulletin’s illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate healthcare information with the communities they serve without the fear of federal civil and criminal penalties.”
What Guidance Does the Online Tracking Technology Court Order Leave Intact?
The online tracking technology court order leaves a substantial portion of the guidance intact. Specifically, the online tracking technology court order leaves intact the guidance on use of tracking technologies on user-authenticated webpages.
Tracking technologies are scripts or codes on a website or mobile app used to gather information about users or their actions as they interact with that website or mobile app. An example of a tracking technology is Meta Pixel.
HIPAA-covered entities may have user-authenticated webpages. A user-authenticated webpage requires a user to log in before the user can access the page. Examples of user-authenticated webpages include patient or health plan beneficiary portals, and telehealth platforms.
Tracking technologies on a regulated entity’s user-authenticated webpages generally have access to PHI. Such PHI may include, for example, an individual’s IP address, medical record number, home or email address, medical appointment date, or other identifying information the individual may provide when they interact with the webpage. Tracking technologies used within patient portals may have access to significant amounts of PHI, such as diagnoses, treatment and prescription information, and billing information.
Because user-authenticated webpages have access to PHI, HIPAA-covered entities that have these pages, must, per the guidance, configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule. Per the guidance, HIPAA-covered entities must also ensure that the electronic protected health information (ePHI) collected through their user-authenticated websites is protected and secured in accordance with the HIPAA Security Rule.
Also, as the guidance provides, tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a HIPAA-covered entity for a covered function (e.g., healthcare operations), or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, the guidance notes, HIPAA-covered entities must (1) ensure that the HIPAA Privacy Rule permits disclosures to these vendors, and (2) enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.
How Can Compliancy Group’s Healthcare Compliance Tracking Solution Help Providers?
Compliancy Group’s healthcare compliance tracking solution, The Guard, contains templated policies and procedures, QuickStart guides, a knowledge base, training videos, and self-audit tools, that give users a clear understanding of what constitutes health information that the HIPAA Privacy Rule protects. The Guard’s tools also set forth what HIPAA-covered entities must do to protect and secure protected health information, in straightforward, concise language.
