On March 18, 2024, HHS-OCR revised its bulletin on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Revised Bulletin). The original version of the bulletin, which was issued on December 1, 2022 (Original Bulletin), has been a source of consternation for the health care industry due to concerns that the Original Bulletin was overly broad and would improperly limit use of tracking technologies that facilitate patient outreach and education. Although the Revised Bulletin provides some clarifications, it does not address many of the previously articulated concerns with the Original Bulletin.  

In its Revised Bulletin, HHS-OCR acknowledges the potential benefit of tracking technologies in certain instances, but reiterates its position that covered entities and business associates (regulated entities) must comply with the HIPAA privacy, security and breach notification rules (HIPAA Rules) when using third-party online tracking technologies1 to collect and analyze ePHI about how users are interacting with the regulated entity’s website or mobile app. The agency emphasizes that regulated entities are prohibited from using tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or others in violation of the HIPAA Rules, including disclosures for marketing purposes, without an individual’s HIPAA compliant authorization. The agency also reminds covered entities that they may only disclose health information to digital tracking vendors who first sign a business associate agreement (BAA).

While these broad general statements are consistent with the HIPAA framework, the devil is very much in the details, particularly with respect to what information constitutes PHI in this context. While HHS-OCR has provided clarifying examples in the Revised Bulletin as to what it contends would and would not constitute PHI, the case-by-case methodology required under the government’s framework presents significant operational challenges for regulated entities wishing to use such tracking technology.

The modifications in the Revised Bulletin are understood to be in response to objections to the Original Bulletin raised by the American Hospital Association (AHA) and certain Texas hospitals in pending litigation seeking to bar enforcement of the Original Bulletin.2 The plaintiffs in that case have asserted that the Original Bulletin is flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy. The plaintiffs voiced substantial concern with the agency’s position in the Original Bulletin—particularly with regard to restrictions on capturing IP addresses on portions of a health care provider’s public facing website that do not require login—and asserted that, as a legal matter, the Original Bulletin was in excess of the government’s statutory authority, should have been subject to notice and comment rulemaking and, in all events, was arbitrary and capricious. 

In the Revised Bulletin, HHS-OCR has clarified its position in the following respects. 

1. Collecting IP addresses alone doesn’t qualify as collecting individually identifiable health information (IIHI) subject to HIPAA.

HHS-OCR concedes that “[t]he mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IHII if the visit to the webpage is not related to an individual’s past, present or future health, health care, or payment for health care.” The agency continues to take the position, however, that IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI (which could in some instances consist of an IP address and geographic location) does not include specific treatment or billing information (like dates and types of health care services).

2. Activity tracking on an unauthenticated website might still collect ePHI.

In the Revised Bulletin, HHS-OCR acknowledges that the HIPAA Rules will not necessarily apply to all unauthenticated webpages (as the Original Bulletin suggested). An unauthenticated webpage is a webpage that does not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity’s location, visiting hours, and employment opportunities. 

  • Taking a more nuanced approach, HHS-OCR clarifies that “visits to unauthenticated webpages do not result in a disclosure of PHI to [a] tracking technology vendor if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present or future health, health care or payment for health care” and provides examples of such situations (e.g., where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours). 
  • HHS-OCR also recognizes that whether the collection and transmission of information showing a visit to a webpage along with the user’s IP address, geographic location, or other identifying information triggers the HIPAA Rules will depend on whether the information shared with the tracking technology vendor involves PHI.
    • HHS-OCR explains, by way of example, that tracking technologies on a regulated entity’s unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool without entering credentials may collect PHI in certain instances. For instance, the individual may be asked for the reason for seeking health care when making an appointment or enter symptoms in an online tool to obtain a health analysis. In such case, HHS-OCR asserts that the HIPAA Rules apply because the regulated entity is disclosing PHI to the tracking technology vendor.
    • Similarly, HHS-OCR indicates that the collection and transmission of an individual’s IP address, geographic location, or other identifying information showing their visit to an oncology services webpage to seek a second opinion on treatment is a disclosure of PHI “to the extent that the information is both identifiable and related to the individual’s health or future health care.” The guidance falls short, however, in explaining how regulated entities would be able to identify the purpose of an individual’s visit at the time that the information is collected and shared or could operationalize this process.

3. BAA must be in place.

Certain tracking technology vendors have historically refused to execute BAAs, taking the position that they are not, in fact, business associates. In the Revised Bulletin, HHS-OCR indicates that if a regulated entity’s chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA, and PHI is involved, the regulated entity can choose to establish a BAA with another vendor, such as a “Customer Data Platform” vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only the de-identified information to the tracking technology vendor that was unwilling to enter into a BAA with the regulated entity. The agency emphasizes that if a regulated entity does not want to create a business associate relationship with a vendor that meets the definition of a business associate, it cannot disclose PHI to such a vendor without the individual’s authorization.

4. Security Rule compliance remains crucial for online tracking technologies.

The Revised Bulletin contains a new provision explaining that, in terms of enforcement priorities, the agency is “prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.”3 HHS-OCR notes that it will be assessing whether regulated entities have appropriately identified and mitigated potential risks to ePHI associated with the use of online tracking technologies and whether they have implemented the applicable Security Rule requirements.

Take Aways

  • Regulated entities face potential risks associated with the sharing of data collected through use of online tracking technologies, both in terms of potential HIPAA enforcement and class action litigation that recently has arisen in this context.
  • As such, it is advisable for regulated entities to evaluate the extent to which they are sharing data collected using online tracking technologies with tracking technology vendors and whether such data constitutes PHI. In some cases, it will be clear that PHI is being collected, and steps should be taken to make sure that such information is properly protected, including through the use of appropriate BAAs. In other instances, whether the data collected constitutes PHI will be less clear, creating additional uncertainty and business risks.
  • Regulated entities should also, as appropriate (i) execute BAAs when needed; (ii) incorporate use of tracking technologies into their Security Rule risk assessments; (iii) implement or update data governance policies and programs to account for the use of these tools; and (iv) ensure that their processes consider notification obligations in the event of an impermissible use and disclosure of ePHI with third-party tracking technology vendors.
  • Even if the tracking technologies do not constitute PHI, the organization may not be entirely out of the woods. That is because the arrangement may be viewed as the “sale” of personally identifiable information or otherwise trigger state level privacy laws. The bottom line is that companies need to tread carefully in connection.
  1. As described by HHS-OCR, a tracking technology is a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. Websites commonly use tracking technologies, such as cookies, web beacons, pixels, session replay scripts, fingerprinting scripts, mobile device IDs, mobile advertising IDs, and other technologies to track and collect information from users. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app or third parties, to create insights about users’ online activities. ↩︎
  2. There is intense interest in HHS-OCR’s policy regarding use of online tracking technologies. Following AHA’s submission of its opening brief in the case on January 17, 2024, numerous state hospital associations and scores of hospitals and health systems filed amicus briefs supporting the lawsuit. ↩︎
  3. In July 2023, HHS-OCR and the Federal Trade Commission (FTC) sent warning letters to 130 hospitals that use third-party tracking technology, seeming to double down on the agency’s positions in the Original Bulletin. Since that time, numerous class action suits have been filed against providers alleging damages to patients from the use of such online tracking technologies. ↩︎
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Janice Ziegler

About Janice Ziegler

Janice Ziegler is a partner in Dentons’ Life Sciences and Health Care sector team. She focuses on providing strategic, regulatory, transactional and legislative counseling to clients regarding the Medicare Secondary Payer (MSP) laws, government managed care programs, and federal and state health care privacy matters.

Full bio

Ramy Fayed

About Ramy Fayed

Ramy Fayed is a partner in the Health Care practice group in Dentons US' Washington, DC, office. He has been recognized by Super Lawyers, Nightingale's Healthcare News and Best Lawyers as one of the leading health care lawyers in the US.

Full bio

RELATED POSTS