With the rapid digitization of healthcare services, online tracking technologies have become ever-present across all sectors, including healthcare. These tools, such as cookies, pixels, and web beacons, allow websites to collect valuable data about visitor behavior and interactions. For healthcare providers, these technologies can offer insights into patient engagement and support targeted health education efforts. However, their use in healthcare settings raises unique privacy concerns, particularly regarding protected health information under HIPAA regulations.
Background: HHS Bulletin on Online Tracking Technologies
In December 2022, the U.S. Department of Health and Human Services (HHS) issued a guidance bulletin (later revised in March 2024) addressing the use of online tracking technologies on websites and mobile applications of HIPAA covered entities and business associates ("Bulletin"). The Bulletin outlined different scenarios involving the use of online tracking technologies, the type of data they may collect, and the potential of triggering HIPAA if the collected data resulted in a disclosure of a visitor's individually identifiable health information to the tracking technology vendors.
Under HIPAA, if a visitor's individually identifiable health information is collected by online tracking technologies and identifies the visitor or can reasonably be used to identify the visitor, a covered entity or business associate must have a HIPAA business associate agreement with the tracking technology vendor or obtain appropriate HIPAA authorizations that covers this type of disclosure, in addition to complying with other HIPAA requirements.
The Lawsuit Against HHS
In November 2023, two hospital associations, a nonprofit health system, and a regional healthcare system filed suit against HHS, the director of HHS's Office of Civil Rights, and the secretary of HHS. The crux of their argument was that HHS exceeded its authority in the Bulletin by creating rules on the use of online tracking technologies that was unsupported by law.
Authenticated vs. Unauthenticated Webpages
The part of the Bulletin at issue concerned the use of website tracking technologies on unauthenticated webpages and whether the collection and resulting disclosure of a visitor's IP address fell within the meaning of individually identifiable health information to constitute protected health information (PHI) protected by HIPAA.
Generally, an unauthenticated webpage refers to a publicly accessible webpage that doesn't require users to provide any personal identifying information to view its content. These are typically informational pages that anyone can visit without creating an account or verifying their identity, such as a hospital's homepage.
Conversely, an authenticated webpage requires visitors to create an account using their personal information or to sign in using their personal account credentials. These are typically patient portal or member login webpages.
The Court's Ruling
The district court agreed that HHS lacked the authority to implement a rule in the Bulletin that required HIPAA compliance as it related to a visitor's IP address tied to unauthenticated webpages. In reaching its conclusion, the district court cited HIPAA's definition of individually identifiable health information, finding that a visitor's IP address tied to an unauthenticated webpage fell outside its definition.
Key Points of the Ruling
IP Addresses and individually identifiable health information: The court found that merely linking a visitor's IP address to an unauthenticated webpage, without more, does not specifically identify the visitor and there is no reasonable basis to believe that it can be used to specifically identify the visitor.
Visitor Intent and Health Information: The court explained that a visitor's intent for visiting a health-related unauthenticated webpage is subjective and therefore unknowable. An IP address alone does not reveal if a visitor's intent "relates to" their health condition or healthcare.
Implications for Unauthenticated Webpages: The court vacated the part of the Bulletin that imposed HIPAA compliance obligations where an online tracking technology connects a visitor's IP address with the visitor's visit to an unauthenticated webpage addressing specific health conditions or healthcare providers, declaring it unlawful.
The remaining aspects of the Bulletin addressing the use of online tracking technologies on authenticated portals, electronic health records, and other scenarios where HIPAA protected PHI is involved are unaffected by this court's ruling.
Impact on HIPAA-Regulated Entities
The court’s ruling lifts a significant compliance burden for HIPAA-regulated entities who use online tracking technologies on their unauthenticated webpages. However, it's crucial to remember that this ruling only applies to unauthenticated pages and does not change HIPAA requirements for authenticated areas or when dealing with actual PHI.
Note on the Use of Chatbots on Unauthenticated Webpages
In light of this ruling, it's important to consider the implications for chatbots, which are increasingly used on healthcare websites to provide information and guide visitors. On unauthenticated pages, chatbots generally fall under the same guidelines as other tracking technologies. If chatbots don't require user authentication, collect limited data, and provide general information rather than personalized health advice, HIPAA is less likely to be triggered.
However, healthcare organizations should still exercise caution by ensuring chatbots are programmed to provide only general information on unauthenticated pages, avoiding the collection or storing of PHI through these chatbots, include clear disclaimers that the chatbot is for general information only and not for providing medical advice, and have a process in place to immediately escalate any interactions where a user starts sharing PHI.
As with all technologies, it's important to regularly review and update chatbot functionalities to ensure they align with current regulations and maintain patient privacy.
Closing Remarks
While the district court rejected HHS's attempt to expand the definition of individually identifiable health information as it relates to a visitor's IP address tied to unauthenticated webpages, the underlying privacy concerns remain valid, especially for authenticated webpages and the handling of PHI collected from those pages.
Moving forward, HIPAA-regulated entities should continue to prioritize patient privacy in their online operations, with particular attention to the type of user data being collected from authenticated versus unauthenticated webpages to determine their corresponding data privacy obligations.
Sources: American Hospital Association, et al. v. Becerra, et al., No. 4:23-cv-01110-P (N.D. Tex. Nov. 2, 2023); American Hospital Association, et al., v. Becerra, et al, No. 4:23-cv-01110-P (N.D. Tex. June 20, 2024); American Hospital Association, et al. v. Becerra et al., 0:24-usc-10775 (5th Cir. 2024).
The information provided here is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Legal development or changes in law or regulations may occur in the future and the content here may not be the most up-to-date legal or other information at the time of reading. You should consult your own attorney for any legal advice you may require.
If you do not have an attorney and would like explore how Venus Caruso can assist you, you can contact Venus using the website’s contact form or by emailing her at venus@carusolawoffice.com.
Comments