Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

April 2, 2024

Updated Bulletin on Tracking Technologies in the Health Care Industry

This alert updates the alert we issued on January 31, 2023. 

On March 18, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an updated bulletin to provide guidance on the use of online tracking technologies under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which apply to regulated entities—covered entities and their business associates. Intended to provide clarity, the updated bulletin replaces OCR’s original bulletin in the wake of a January 5, 2024, lawsuit filed against the secretary of HHS by the American Hospital Association, which aims to bar HHS from enforcing the rules described in the original bulletin. 

Focused on unauthenticated webpages—webpages that are accessible to the public without the requirement to login or input credentials—the updated bulletin explains that the following condition avoids the disclosure of protected health information (PHI): “Visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor[s] if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.” 

According to OCR’s new examples, collecting identifying information (e.g., an IP address) from a user would not involve a disclosure of the individual’s PHI to a tracking technology vendor if the user merely visits a hospital’s unauthenticated webpage to: 

  • Receive information about the hospital’s job postings or visiting hours, or 
  • Review the hospital’s oncology service listing for purposes of writing an academic paper about the availability of oncology services before and after the COVID-19 public health emergency

The reason for this outcome, explained by OCR, is that the tracking technologies would not have access to information about the individual’s past, present, or future health, health care, or payment for health care.

In another example provided by OCR, collecting identifying information (e.g., an IP address) from an individual would involve a disclosure of the individual’s PHI to the tracking technology vendor if an individual visits a hospital’s unauthenticated webpage that lists the oncology services provided by the hospital in the event that: 

  • The individual visited the webpage to seek a second opinion on treatment options for the individual’s brain tumor, and 
  • The identifying information showing the individual’s visit to the webpage was identifiable and related to the individual’s health or future health care

The changes provided by the updated bulletin set forth a general condition and several specific examples. Nonetheless, regulated entities may continue to grapple with how to interpret and apply the OCR’s condition. Though not entirely clear, the examples seem to indicate OCR’s position is that the purpose of a user’s visit to a website (i.e., whether the purpose relates to the individual’s health or future health care) governs the determination of PHI disclosure. It remains unclear whether a user must interact with the unauthenticated webpage in some fashion to signal the purpose, such as by entering contact information to set up an appointment.

In addition to these updated examples, OCR also indicated its enforcement priority will be compliance with the HIPAA Security Rule in any investigations into the use of online tracking technologies. Therefore, regulated entities are encouraged to conduct a risk assessment of their technology stack and ensure they have business associate agreements (BAAs) in place, where appropriate. OCR’s guidance states that if “chosen tracking technology vendor[s] will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example a customer data platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.”

Regulated entities should consult with legal counsel for guidance regarding the shifting landscape of technology regulation in the health care industry, including how to interpret OCR’s updated bulletin and whether BAAs are appropriate for use with certain technology vendors. 

Barclay Damon provides counseling, contract drafting, and negotiation for matters at the intersection of health care law and information technology. The information provided in OCR’s updated bulletin is noteworthy for the health care industry and should be considered in the context of the particular circumstances of a health care provider or other regulated entity. 

If you have any questions regarding the content of this alert, please contact Bridget Steele, counsel, at bsteele@barclaydamon.com; Renato Smith, Data Security & Technology Practice Area co-chair, at rsmith@barclaydamon.com; or another member of the firm’s Health & Human Services Providers Team or Data Security & Technology Practice Area.
 

Featured Media

Alerts

Second Department: Objective Evidence Required to Establish Trivial Defect Defense

Alerts

NYS Department of Health Issues Consumer Protection Guidance on Payments for Health Care Services

Alerts

Stay Away From the Debtor? An Overview of the Automatic Stay in Bankruptcy

Alerts

Second Department: Defendants Are Entitled to Collateral Source Hearing for "To-Be Obtained" Insurance Coverage Under the ACA

Alerts

What OMH Providers Need to Know About the Proposed Amendments to the Licensing Regulations in 14 NYCRR Part 551

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Primitivo Robles, Hannibal Wheatley, Valeria Jacobs, Marlelis Hernandez, and Omar Rodriguez—Targeting Businesses in Recent Flurry of Lawsuits

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out