On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technology by covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates (together, "regulated entities"). While the updated guidance from OCR seems intended to clarify, and even narrow, the circumstances under which regulated entities’ use of websites and mobile app tracking technologies constitutes a disclosure of Protected Health Information (PHI), it fails to provide clarity on the exact scope, rendering compliance challenging. We summarize the updates to the guidance below and analyze briefly how these updates may impact the use of tracking technologies on unauthenticated and authenticated webpages, and what companies may explore in terms of compliance.

HIPAA Rule Application to Regulated Entities’ Use of Tracking Technologies

In its original guidance, OCR took the position that a regulated entity discloses Individually Identifiable Health Information (IIHI), which is a necessary pre-condition for information to meet the definition of protected health information (PHI), through third-party tracking technologies placed on a regulated entity’s website or mobile app. OCR takes the position that IIHI collected on a regulated entity’s website or mobile application "generally is PHI" even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of healthcare services. However, the recent update narrows the definition of IIHI in the context of disclosures via tracking technologies: OCR now states that sharing the mere fact that a consumer visited a regulated entity’s website (e.g., connecting IP address with a visit to a webpage addressing specific health conditions) does not constitute an IIHI, if the visit is not related to the individual’s past, present, or future health, healthcare, or payment for healthcare.

Tracking on Unauthenticated Webpages

However, OCR’s updated guidance fails to explicitly clarify how regulated entities may determine the intent behind an individual’s webpage visit. Overall, the new examples suggest that access to PHI, for health-related webpages, does not solely rely on the nature of the unauthenticated webpage but rather hinges on the visitor's activities on the page, i.e., activities on the webpage indicating the visit relates to the individual's health, healthcare, or payment for healthcare. The new OCR guidance elaborates on three webpage types:

1. Webpages that are clearly not health-related: OCR takes the position in the updated guidance that tracking technologies do not access PHI when it collects visitors' information on webpages that are clearly not health-related, such as those on job postings or visiting hours.
2. Webpages for scheduling appointments or symptom-checker tools: OCR's new guidance states that webpages that permit individuals to schedule appointments or use a symptom-checker tool may constitute access to PHI in certain circumstances. For example, a regulated entity discloses PHI if it allows tracking technologies to collect an individual's:
   • email address;
   • reasons for seeking healthcare; or
   • appointment information.
   These examples suggest that the test for PHI is whether an individual took a discernible action to learn about their health or the healthcare services provided by the regulated entity.
3. Webpages that address specific symptoms or health conditions: The updated guidance indicates that an individual's visit information to the same webpage may or may not constitute PHI based on the individual’s visit purpose.
   • For instance, tracking technologies do not access PHI if a student visits an oncology services webpage to write a term paper on availability of oncology services before and after COVID-19.
   • However, tracking technologies access PHI when they collect identifying information of an individual who is looking at a hospital's website listing its oncology services "to seek a second opinion on treatment options for their brain tumor...to the extent that the information is both identifiable and related to the individual’s health or future health care." (Emphasis added). 

Despite the ambiguity in how a regulated entity might identify a visitor's intention, the phrase "to the extent that information is...related to the individual's health or future health care" seems to indicate that the visit's connection to healthcare turns on whether the individual performed certain activities (e.g., clicking the contact us form on the webpage), especially when read together with OCR’s guidance on webpages for scheduling appointments or symptom-checker tools. However, OCR does not clarify whether, in the absence of additional forms or interactive elements on a webpage that would allow the regulated entity to identify a visitor's intent, the sharing of a visitor's information through tracking technology would be considered a disclosure of PHI.

Tracking on Authenticated Webpages

The scope of PHI on authenticated webpages (i.e., pages requiring user log in to access) remains the same: tracking technologies on user-authenticated webpages generally constitute access to PHI, and that regulated entities must ensure that such disclosures are permitted under HIPAA's Privacy Rule and enter into business associate agreements (BAA) with tracking technology vendors if they create, receive, maintain, or transmit PHI on behalf of the regulated entity for a covered function or provide certain services to or for a covered entity that involve the disclosure of PHI (e.g., individual making an appointment through a regulated entity and the website transmitting that information and the IP address to a tracking technology vendor).

What Do the Updates Mean for Compliance?

• For authenticated webpages, the updated guidance offers a new way to come into compliance for regulated entities. The updated guidance explicitly states that a regulated entity can choose to establish a BAA with another vendor to de-identify online tracking information that includes PHI and then disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.
• For unauthenticated webpages, it means that regulated entities may have more compliance options for tracking. For example, based on the previous guide, regulated entities could have violated HIPAA for sharing appointment webpage information without receiving individuals’ authorizations. However, based on the updated guidance, regulated entities may still choose to track the appointment webpage but disable tracking when users conduct activities that trigger certain events, such as clicking a button, or filling out a form.
  
  Another option to consider is contracting with a vendor to de-identify online tracking information of certain webpages or user activities, and only sharing de-identified information to tracking technology vendors.

Regulated entities that use tracking technologies may also consider assessing their compliance with the Security Rule, as OCR in the updated guidance signaled that compliance with the Security Rule may be a mitigating factor in investigations into the use of online tracking technologies.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning privacy compliance, please contact Haley Bavasi, Tracy Shapiro, Yeji Kim, or any member of the firm's privacy and cybersecurity practice.