On March 18, 2024, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released an updated bulletin concerning the use of online tracking technologies by entities covered under the Health Insurance Portability and Accountability Act (HIPAA), including both covered entities and business associates. This update is a response to criticism of the original 2022 bulletin, and most notably a lawsuit filed by the American Hospital Association (AHA) against the lawfulness of the OCR’s stance as implemented by the original bulletin.
Recap on the 2022 Bulletin
Initially, the 2022 bulletin implemented wide-reaching restrictions on sharing user data collected from websites or mobile applications with third-party vendors, such as analytics or marketing services, unless a Business Associate Agreement (BAA) was in place or proper patient authorization was obtained. This policy applied broadly across both authenticated and unauthenticated webpages and applications. The AHA contended that while the policy aimed to protect patient data, its broad application was unjustified legally in some instances and practically prevented effective online patient engagement, as the relevant vendors were reluctant to provide BAAs. According to the AHA, this approach was unnecessarily restrictive, hindering hospitals’ ability to effectively communicate and “tie hospitals’ hands as trusted messengers of reliable health care information”.
The Current Update and Its Limited Implication
The updated bulletin aims to refine the scope of restrictions on the use of online tracking technologies by HIPAA-covered entities, focusing specifically on Protected Health Information (PHI). It emphasizes that, even in the context of online tracking by health-related services, non-PHI data or de-identified data does not require a BAA for sharing with third-party vendors. This distinction is meant to differentiate between authenticated services (which require user login) and unauthenticated services (typically general information pages), indicating that tracking technologies on many unauthenticated webpages are unlikely to access PHI. Thus, their use by regulated entities is supposed to fall outside HIPAA applicability.
Despite these clarifications, practical challenges remain. In practice, this means healthcare providers must somehow discern between visits for general information and those with health-related inquiries—a task that is practically unfeasible. The bulletin provides examples to illustrate this point, distinguishing between a student researching for a term paper (where data collected would not be considered PHI) and an individual seeking information on treatment options (where collected data could be considered PHI due to its connection to the individual’s health condition), a task that is clearly practically infeasible.
To summarize this point, the updated bulletin still leaves healthcare providers in a difficult position, as they must navigate the fine line between compliance and leveraging necessary digital tools. This situation underscores the ongoing complexity of managing patient privacy in the digital age, particularly as it pertains to online tracking technologies.
Focus on Digital Health Applications
The bulletin further highlights a broad definition of what constitutes Protected Health Information (PHI) within the context of mobile health applications. This broad interpretation extends to internal device identifiers, such as IP addresses, device IDs, and any geolocation data, which, when associated with health-related data collected by apps offered by HIPAA-regulated entities, are considered PHI. This broad interpretation means any application installed on a patient’s private phone falls under HIPAA restrictions due to the health-related context of its use. The bulletin provides an example of diabetes management mobile app used to track health information such as glucose levels, while stipulating that “In this example, the transmission of information to a tracking technology vendor as a result of using such app would be a disclosure of PHI because the individual’s use of the app is related to an individual’s health condition (i.e., diabetes) and that, together with any individually identifying information (e.g., name, mobile number, IP address, device ID)” summarizes to PHI. This highlights how the mere context of using a diabetes management app may categorize all collected usage data as PHI.
However, on the brighter side, the bulletin also notes that data from wellness and B2C lifestyle management applications not involving a covered entity may not be considered PHI, although other privacy regulations may apply.
Summary and Practical takeaways
Despite the updated bulletin’s alleged intent to clarify and slightly narrow the scope of restrictions imposed by the original bulletin, significant challenges remain for healthcare providers and app developers. Eventually, the bulletin emphasis on the OCR “prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies”, which highlights the need for careful legal navigation when using analytics and marketing tools in health-related contexts. This focus aligns with the recent regulatory attention to cases of unlawful cases of data sharing, as seen in the InMarket Media case as well as the recent settlements with Avast and DoorDash.
Developers and providers must ensure their use of online tracking technologies aligns with HIPAA by accurately identifying relevant cases; precisely understanding the collected and shared data; assessing the context’s impact on the classification of data as PHI; verifying that vendors and third-party services are HIPAA-compliant and provide appropriate BAAs; and implementing additional safeguards such as distinguishing between legitimate use and sharing of first-party data and prohibited sharing or selling of PHI.
APM Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding.
