Getty Images

How updated third-party tech guidance affects compliance efforts

In its updated bulletin on third-party tracking tech, OCR doubled down on its stance that an IP address of a device accessing certain parts of a covered entity’s website constitutes PHI.

Following a December 2022 bulletin that elicited questions from covered entities and a lawsuit from the American Hospital Association (AHA), the HHS Office for Civil Rights (OCR) updated online tracking technology guidance.

In the March 2024 edition of the bulletin, OCR said it released updated guidance to “increase clarity for regulated entities and the public.”

However, in interviews with HealthITSecurity, several experts noted that the updated guidance merely reiterates OCR’s previously held stance on what constitutes an impermissible disclosure of protected health information (PHI) on user-authenticated and unauthenticated webpages that have third-party tracking tech present.

“I think it’s more window dressing than anything else. Not a lot has actually changed in this updated guidance,” said Sean Buckley, partner at Dykema. “They didn't move the needle in any material way whatsoever.”

The use of third-party analytics tools and tracking tech in healthcare remains prevalent as healthcare organizations balance the utility of these tools with the data privacy and legal risks that follow. However, while OCR’s update did not provide the level of clarity many were hoping for, there are key elements to keep an eye on that may impact compliance activities.

Why third-party tech use in healthcare continues to spark debate

Healthcare’s use of third-party tracking tech was first highlighted in June 2022, when journalists discovered that a third of Newsweek’s top 100 hospitals in America had the Meta Pixel embedded into their sites. The presence of the technology itself was not the problem, as these technologies are widely used across the internet. Rather, the pixel was allegedly sending a packet of data to Facebook whenever a visitor took a simple action like scheduling an appointment, which raised patient privacy concerns.

An April 2023 study published in Health Affairs revealed that 98.6% of more than 3,700 analyzed hospital website home pages had at least one third-party data transfer, and 94.3% had at least one third-party cookie.  

These discoveries inspired many healthcare entities to look into how these tools were interacting with their sites, leading to several data breach notifications and subsequent lawsuits and settlements.

By 2023, more than 200 lawsuits had been filed against healthcare organizations over their use of third-party tracking tech and other web analytics tools, 75% of which were filed in 2023 alone, BakerHostetler found.

Aaron Maguregui, a partner at Foley & Lardner who advises healthcare entities on regulatory issues, stressed that not all third-party technologies are a compliance risk and not all of them are within the scope of OCR’s guidance.

“It's really those third-party tracking technologies that are used for purposes of targeted marketing that the guidance is looking to regulate. There are obvious reasons why we would want to regulate the sharing of that information with third-party social media companies, or companies that are not regulated by HIPAA,” Maguregui suggested.

“But there's also a counterargument to that, which is if today's patient goes to social media to educate themselves, it is unfortunate that it is very difficult for healthcare organizations to utilize those tools in order to provide the opportunity for patient engagement and really meet the patient where they're at.

AHA lawsuit prompts OCR to update guidance

Rather than go through a formal rulemaking process, OCR released a bulletin December 2022 to clarify the responsibilities of HIPAA-covered entities when it comes to using third-party tracking tools.

In the initial bulletin, OCR clarified that whether the tech is present on user-authenticated or unauthenticated webpages, if PHI is involved, HIPAA rules still apply. OCR also stressed the importance of having a business associate agreement (BAA) with all vendors that handle PHI to remain compliant.

In a lawsuit filed by the AHA, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, the parties suggested that the bulletin signified a “massive overreach by the federal bureaucracy,” and that it “exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.”

Specifically, the AHA took issue with OCR restricting hospitals from using third-party technologies that capture IP addresses on portions of public-facing webpages addressing specific health conditions.

“Broadly treating IP addresses as protected information under HIPAA, this new rule subjects hospitals to enforcement actions and civil penalties under HIPAA if they do not comply with OCR’s new rule, forcing providers to strip their websites of these valuable technologies,” the AHA stated.

The AHA alleged that technologies such as analytics software, digital maps, translation services, and video technologies that help providers reach the community are now in jeopardy because of the new rule. What’s more, several federal government webpages run by HIPAA-covered entities, including Medicare.gov and several Veterans Health Administration sites use this technology themselves.

Against this backdrop, OCR issued its March 2024 updated bulletin in an effort to address the concerns that the plaintiffs raised in their complaint and opening brief. While the refreshed guidance may have been released as part of a bigger legal proceeding, it still impacts the daily operations of HIPAA-covered entities.

What’s more, the updated bulletin did little to change the AHA’s stance, meaning the lawsuit will move forward.

The AHA’s general counsel and secretary Chad Golder said the modification “suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review.”

Exploring the nuances of OCR’s updated guidance  

The updated guidance states that individually identifiable health information (IIHI) “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”

However, OCR noted that the fact that an online tracking technology connects the IP address of a user’s device to a webpage that addresses specific health conditions is not IIHI unless the webpage visit is related to an individual’s past, present or future healthcare or payment for healthcare.

“An IP address is a necessary part of any communication on the internet. It's inextricable. You can't not transmit the IP address,” noted Christopher Iaquinto, partner at Holland & Knight and member of the firm’s Data Strategy, Security and Privacy Practice Group.

“In that context, the position that HHS has taken where IP addresses may be identifying, and it's the intent of the website visitor that determines whether the IP address and the pages visited is covered by HIPAA or not – it is kind of an impossible standard. It's certainly not workable.”

The updated guidance suggests that OCR expects covered entities to decipher each website visitor's intent to determine what constitutes a disclosure of PHI.

OCR provided the example of a student writing a term paper on the availability of oncology services before and after the COVID-19 public health emergency. Even if the collection and transmission of the student’s IP address could be used to identify the student, this would not be considered a disclosure of PHI, because that student’s visit to the page was not related to the delivery of their own past, present or future healthcare services.

However, if an individual visited that same oncology services webpage to seek a second opinion on treatment options for a tumor, the collection of that individual’s IP address or other identifying information would be considered a disclosure of PHI.

“The only way to really infer intent from a tracking perspective is seeing what a user clicks on when they get to that landing page. And if you can't glean from that very, very limited information, then you're essentially just as in the dark as you were before,” said Aaron Maguregui, a partner at Foley & Lardner who advises healthcare entities on regulatory issues.

“So, I don't think the guidance has been helpful. I don't think it's been clarifying. I think it's really put providers and healthcare companies that are out there trying to showcase their offerings and provide additional treatment opportunities at risk of being able to share their message and engage with prospective patients.”

OCR’s stance did not change from the initial bulletin. Rather, it offered some more concrete examples of what constitutes an improper use of PHI as it relates to the use of third-party tech. Additionally, OCR reaffirmed its intent to prioritize enforcement and compliance with the HIPAA Security Rule via investigations into the use of these technologies, despite saying that the contents of the bulletin “are not meant to bind the public in any way” and merely exist to remind covered entities of the existing requirements of the law.

“OCR has, on the one hand, said that this guidance doesn't have the force and effect of law, but it will be the basis for an enforcement priority,” said Beth Pitman, partner at Holland & Knight. “So, it is a double-edged issue here and places the healthcare providers in the crosshairs.”

How HIPAA-covered entities can mitigate risk

Legal experts agreed that OCR’s updated bulletin did little to ease the compliance concerns of covered entities.

“The recommendations largely remain unchanged,” said Buckley. “You need to be incredibly careful and probably limit the use of pixels and tracking technology on some of these webpages.”

As the rule stands today, covered entities should exercise caution when engaging with these technologies. However, this does not mean that these technologies are noncompliant by nature.

“Certainly, if you're working with a tracking technology vendor and they are going to be accessing any data that's automatically collected on your website, you should have a business associate agreement in place,” Maguregui advised.

“You should have a data workflow in place where you understand where the data is going to be, how it will be collected, how it will be used, and to whom it will be disclosed.”

Maguregui noted that covered entities with condition-specific webpages may find it extremely difficult to determine that something is not PHI, given the specificity of these pages.

“The best practice here is to go through every aspect of your workflow and figure out, first of all, what data are you collecting? Second, what kind of story are you building on that user?” Maguregui noted. “And if you are ultimately building a medical record or a subset of data that will ultimately be used to treat that patient, it's likely going to be PHI.”

Pitman recommended that entities conduct diligence as part of their security risk assessments in order to identify where PHI is being transmitted or maintained by a tracking technology vendor and determine what vendors those third parties are using.

“One of the other options that was suggested by HHS is to have a compliant data room vendor who can then clean the data prior to sending it off to the tracking technology,” Pitman added. “There are vendors that currently do that, but they are expensive, so it is not something that would be widely available to the average healthcare provider.”

Iaquinto stressed that the use of third-party tech in healthcare must be decided on an institution-by-institution basis, suggesting that some of these technologies are crucial to maintaining a web presence.

“The hope is that as the litigation unfolds, there's an opportunity for some clarity and a workable solution going forward,” Iaquinto said.

“It's worth some time and effort for folks to understand exactly how their websites are operating. From there, the next level is to understand what types of data are being transmitted in connection with those tools. Counsel can help with that, vendors can help with that, but at the very least, it's something that needs to be paid attention to in this climate.”

Next Steps

Dig Deeper on HIPAA compliance and regulation