On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) revised its controversial December 2022 bulletin (the December 2022 Bulletin) regarding the use of tracking technologies by covered entities and business associates on their websites. The December 2022 Bulletin stated that information concerning the activity of authenticated users of covered entity and business associate websites would generally be protected health information (PHI) under the Health Information Portability and Accountability Act (HIPAA), including its implementing regulations, while information concerning the activity of unauthenticated users visiting such sites would generally not be PHI.
While the revised bulletin (the Revised Bulletin) states that it is intended to clarify the guidance issued in the December 2022 Bulletin, it appears to expand the circumstances in which HHS-OCR would consider individually identifiable information concerning an unauthenticated visitor to the website of a covered entity or business associate to be PHI. Specifically, according to the Revised Bulletin, when an unauthenticated individual visits the website of a covered entity or business associate for purposes related to the individual’s healthcare, identifiable information related to the individual’s activity on the webpage is PHI. While HHS-OCR acknowledges that information concerning the activity of unauthenticated visitors on certain webpages — such as those concerning employment opportunities or visiting hours — will not be PHI, the covered entity or business associate may not always be in a position to determine whether an individual visited its website for healthcare-related purposes or for other purposes, such as research or an employment search. This focus on the subjective intent of the website visitor seems to require that covered entities and business associates treat the individually identifiable information of unauthenticated visitors to many webpages as PHI.
The Revised Bulletin may be subject to legal challenge, but given HHS-OCR’s new guidance, covered entities and business associates should consider reassessing the information they share with providers of tracking technology services. They should consider either limiting the use of such technologies, limiting the information that the covered entity or business associate shares with such third parties, or entering into business associate agreements with those third parties.
Background
HHS-OCR defines tracking technologies as “scripts or codes on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app.”[1] These technologies include cookies, web beacons, pixels, and session replay scripts. Tracking technologies may collect and share user information — including geolocation, IP addresses, and other identifiers — with the third-party vendors that offer those services. In the December 2022 Bulletin, HHS-OCR asserted that, subject to limited exceptions, only information collected from users on user-authenticated portions of a covered entity’s or business associate’s website would qualify as PHI. HHS-OCR defines “user-authenticated webpages” as “webpages that users can access only after they log-in to the webpage, such as by entering a unique user ID and password or other credentials.” Conversely, “unauthenticated webpages” are defined as “webpages that are publicly accessible without first requiring a user to log in to such webpage.” The December 2022 Bulletin identified the following exceptions in which information collected from unauthenticated webpages is considered PHI:
- The log-in page on a covered entity’s patient portal or other user registration pages where users input their log-in credentials (username, password, name, etc.)
- Unauthenticated web pages that address specific health conditions or permit users to search for doctors and schedule appointments where tracking technologies collect the IP address or email address of such users
The Revised Bulletin
The Revised Bulletin retains the guidance from the December 2022 Bulletin that information concerning the activity of authenticated users on covered entity and business associate websites generally will be PHI. However, the March 2022 Bulletin significantly alters the prior guidance concerning the circumstances under which information concerning the activity of unauthenticated users on covered entity and business associate websites will be PHI. HHS-OCR acknowledges that “where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s PHI to [a] tracking technology vendor” because information concerning the visitor’s activity on the page does not relate to the individual’s healthcare and thus is not PHI.
However, HHS-OCR asserts that information concerning the activity of unauthenticated users on certain webpages may be PHI depending on the purpose for which the individual visited the webpage. Specifically, HHS-OCR notes that “if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI.” But HHS-OCR asserts that “if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future healthcare.”
Analysis
In light of the Revised Bulletin, covered entities and business associates should consider reviewing their use of tracking technologies to collect information concerning unauthenticated visitors to their websites to assess whether their webpages collect PHI. While the Revised Bulletin states that information concerning unauthenticated visitors to certain webpages — such as webpages concerning employment opportunities or visiting hours — will not be PHI, HHS-OCR asserts that information concerning unauthenticated visitors to certain other webpages will be PHI when the visitor is visiting the webpage for reasons related to their healthcare. So, for example, webpages that allow patients to schedule appointments could be collecting PHI. Similarly, according to the Revised Bulletin, webpages related to specific conditions may collect PHI as well if the visitor is visiting the webpage for reasons related to their healthcare.
Because covered entities and business associates generally don’t know why a visitor visited a webpage, they may be required to treat all information concerning visitors to condition-specific webpages as PHI to comply with the guidance in the Revised Bulletin. That would require the covered entity or business associate to discontinue use of tracking technologies on such pages, deploy technology to avoid disclosing PHI to providers of tracking technology services, or use providers of tracking technologies that comply with HIPAA and will enter into business associate agreements. Given that, generally, the most widely used providers of tracking technology services do not comply with HIPAA and will not enter into business associate agreements, the latter approach may not be practicable.
Covered entities and business associates also could consider an opt-out mechanism on their websites to serve as a declaration of user intent. This mechanism would permit users to represent that they are not visiting the covered entity’s or business associate’s website for healthcare-related purposes and thus permit the covered entity to deploy tracking technologies on webpages that might collect PHI when the user indicates the purpose of the use of the site is not healthcare related. This strategy, however, may still entail some risk — given the focus in the Revised Bulletin on the subjective intent of users rather than any user declaration of intent.
Industry groups, such as the American Hospital Association (AHA), have challenged the December 2022 Bulletin. The AHA alleged that the guidance in the December 2022 Bulletin “exceed[s] the government’s statutory and constitutional authority, fail[s] to satisfy the requirements for agency rulemaking and harm[s] the very people it purports to protect.”[2] The Revised Bulletin may be subject to similar challenges.
Among other things, the guidance appears to establish a substantive new rule that was not promulgated pursuant to notice-and-comment rulemaking, as required pursuant to the Administrative Procedure Act. Specifically, the Revised Bulleting appears to establish a new standard for determining when information is PHI that focuses on the subjective intent of the individual rather than on any objective manifestation of that intent. This subjective standard is not reflected in HHS-OCR’s current regulations defining PHI.
In addition, the standard purportedly established in the Revised Bulletin appears to be internally inconsistent. For example, it is unclear why information concerning an unauthenticated visitor to a webpage providing a hospital’s visiting hours would not be PHI, as HHS-OCR suggests, if the visitor is visiting the webpage in connection with considering options for a surgery, while information concerning an unauthenticated visitor to a hospital webpage providing information about the hospital’s cancer care options would be PHI if the visitor is considering options for cancer care. In both cases, the information relates to an individual’s healthcare based on subjective intent. However, in neither case would the hospital know that the information relates to the individual’s healthcare since the hospital would not know why the individual visited the site. HHS-OCR has provided no explanation of why the determination of whether information is PHI turns on subjective intent in the latter case but not (ostensibly) in the former case. Further, HHS-OCR has provided no explanation as to how its approach comports with its existing regulations or why a subjective approach should be adopted over an objective approach.
Conclusion
Goodwin’s Data, Privacy & Cybersecurity attorneys will continue to monitor the effects of the Revised Bulletin as well as further developments concerning HHS-OCR’s guidance on the use of tracking technologies.
[1] U.S. Department of Health and Human Services, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Mar. 18, 2024).
[2] “Lawsuit Challenges Federal Rule That Ties Providers Hands in Efforts to Reach Their Communities,” American Hospital Association (accessed Mar. 27, 2024).
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.
Contacts
- /en/people/c/cohen-roger
Roger A. Cohen
Partner - /en/people/i/ishee-jonathan
Jonathan Ishee
Partner - /en/people/b/brendel-anne
Anne M. Brendel
Associate - /en/people/l/lee-jacob
Jacob Lee
Associate - /en/people/p/paluzzi-michael
Michael Paluzzi
Associate