DHHS Office of Civil Rights issues updated guidance on HIPAA requirements for the use of Online Tracking Technologies
Posted in Cybersecurity, Data Privacy

On Monday, the U.S. Department of Health and Human Services Office for Civil Rights issued updated guidance on the use of online tracking technologies by covered entities and business associates (here, referred to as “regulated entities”) under the Health Insurance Portability and Accountability Act Privacy Rule. The intent of the guidance is to provide regulated entities with considerations when using tracking technologies on their websites and mobile applications.

The updated guidance came after a group of hospitals and health care groups sued the OCR over its previous guidance on the topic (the plaintiffs claim, among other things, that the rule was issued improperly and that it misinterprets the requirements of the privacy rule). Unfortunately, the updated guidance still leaves some questions unanswered.

Both the previous and updated guidance documents differentiate between user-authenticated and unauthenticated web pages. A user-authenticated webpage requires an individual to enter unique identifiers (usually an email or username in combination with a password) to access content curated or intended for that individual (for example, the individual’s medical file or appointments). An unauthenticated page does not require users to enter unique identifiers and is generally intended for the public (for example, a facility’s homepage or contact page). Both guidance documents also discuss mobile applications, which are largely treated like user-authenticated webpages because users must generally create accounts before the applications can be used.

OCR’s updated guidance reflects its view that tracking technologies used by regulated entities on user-authenticated webpages and mobile applications generally do collect protected health information, referred to as PHI.  Where the new guidance differs, however, is on the information collected via tracking technologies on unauthenticated webpages.  Now OCR acknowledges that “[t]racking technologies on many unauthenticated webpages do not have access to individuals’ PHI,” and, as a result, the use of these technologies is not governed by the HIPAA Privacy Rule. (Organizations should note that the use of these tools may be governed by other state and federal privacy laws.) OCR nonetheless continues to assert that, in some cases, tracking technologies on unauthenticated webpages may still have access to users’ PHI. 

To help regulated entities discern when they are acquiring PHI on unauthenticated pages and when they are not, OCR provides examples to illustrate what it believes qualifies as the collection of PHI on unauthenticated pages and what does not. OCR notes that a visit to a regulated entity’s webpages for job postings or visiting hours does not involve PHI. On the other hand, the collection and sharing of information from users who are scheduling medical appointments or checking symptoms does involve the collection of PHI.

Some of OCR’s examples are less helpful than these. For example, OCR provides examples of users visiting the same webpage for different reasons – one as a student conducting research, and the other as a prospective patient. OCR notes that the student’s visit would not involve the collection of PHI, and would therefore not be subject to the HIPAA privacy rule, while the visit of the prospective patient would. Unfortunately, the new guidance does not acknowledge that regulated entities have no way of discerning between these two different types of visits to the same web page. 

OCR has not indicated whether it will issue further updates on this issue. For now, and pending the result of the litigation in this matter, regulated entities have this guidance to inform any current and future configurations of tracking technologies they use.

The Constangy Cybersecurity & Data Privacy Team assists regulated entities of all sizes with their information security and privacy needs – from proactive efforts to comply with applicable regulations or guidance to support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

TAGS: Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Data Security, Department of Health and Human Services, Healthcare, HIPAA, HIPAA privacy
Facebook Twitter/X Linkedin Email

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek