Update to HHS' controversial web tracker guidance offers little practical relief, legal experts say

The Biden administration has updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for a protected health information (PHI) disclosure.

But legal experts say the updated guidance offers little practical relief for healthcare organizations as the exclusion is based on circumstances "nearly impossible to ascertain."

The Department of Health and Human Services Office for Civil Rights' (HHS OCR's) late 2022 policy decision to consider hospitals and other Health Insurance Portability and Accountability Act (HIPAA)-covered entities’ use of these tools—the Meta Pixel and Google Analytics, for example—as a violation of the privacy law has led to a spate of class-action lawsuits and settlements for provider organizations.

The issue is that intent, based on an IP address and click of the mouse, is nearly impossible to ascertain. — Foley & Lardner Partner Aaron T. Maguregui

The position has also proven unpopular within the industry. In November 2023, the American Hospital Association (AHA) and others filed a federal lawsuit calling on the courts to bar enforcement of OCR’s policy. It later picked up widespread support from several state hospital associations and health systems.

In an update to its guidance bulletin published this week, OCR stood pat on its position that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Its guidance on tracking disclosures in privacy policies, notices, terms of use or banners and requirements for when a covered entity must provide notification of a breach also did not change.  

However, within the space of unauthenticated webpages (those that do not require a user to login), the updated guidance now says that not all trackers that link a device’s IP address with a visit to a webpage on specific health conditions involve a disclosure of PHI.

Specifically, the unauthenticated website visits don’t result in a PHI disclosure if the trackers do not have access to information relating to an individual’s past, present or future health, healthcare or payment for healthcare —"For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours,” OCR wrote in the guidance.

The same applies to visits that aren’t related to an individual’s past, present or future health, healthcare or payment for healthcare, such as “if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency,” according to the guidance.

Put another way, the changes in the guidance are “basically that when a user is not logged in to the secure portion of the website, PHI is created based on a website visitor’s intent,” Foley & Lardner Partner Aaron T. Maguregui told Fierce Healthcare in an email. “If the user intended to visit the covered entities website to obtain healthcare services, then their data is PHI. If the user landed on the website by mistake or to see if the company was hiring, their data is not PHI.

“The issue is that intent, based on an IP address and click of the mouse, is nearly impossible to ascertain,” he explained.

Paul Bond, a data security and privacy partner at law firm Holland & Knight, said the circumstances outlined in the update “put the onus on covered entities to guess” whether an individual visit could trigger a HIPAA violation.

“Under OCR’s guidance, a user accessing oncology materials on a healthcare website is creating PHI if they happen to be a patient, and is not creating PHI if they happen to be a researcher,” he told Fierce Healthcare in an emailed statement. “And if a third-party tracking technology is present on that oncology section of the website, it both does and does not concern HIPAA, depending on circumstances unknown and unknowable to the covered entity. OCR has created Schrödinger’s Website User.”

In a blog post on the update, Maguregui and fellow Foley & Lardner Partner Jennifer J. Hennessy wrote it “did not materially change” HHS’ position on unauthenticated webpages and, as was the case following the December 2022 bulletin that outlined the policy, advised covered entities to review their websites and mobile apps for compliance.

“If tracking technologies are used on unauthenticated websites, assess where tracking technologies may be accessing information regarding an individual seeking health care services,” they wrote. “Note that if the entity has a health condition specific website or is utilizing tools such as calendaring apps, symptom trackers, or questionnaires soliciting medical information, there is a greater likelihood that the entity’s unauthenticated webpages are collecting PHI per HHS.”

The update does come “as a surprise” in light of the department’s ongoing defense against AHA and others, the lawyers wrote.

That lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority and calls for the portion of OCR’s guidance addressing unauthenticated webpages should be invalidated.

The plaintiffs in the case wrote that HHS’ updated policy “upended the balance that HIPAA and its regulations strike between privacy and information-sharing” and undermines Congress’ stated goals for HIPAA. They also noted that, as of the time of filing, several of the federal government’s own healthcare websites were using tracking tools in a way that is restricted under the bulletin.

Still, “it is unlikely HHS’ updated guidance will impact the lawsuit filed by the American Hospital Association, as the guidance and analysis is substantively identical to the original bulletin released in December 2022,” Maguregui said in an email.

HHS’ policy on third-party trackers has wide-reaching impact on providers. A spring 2023 study published in Health Affairs found that nearly 99% of hospital homepages included at least one third-party data transfer, and about 94% included one or more third-party cookies. Rectifying these in light of HHS’ policy has accrued “significant costs” for hospitals, AHA and others wrote in their lawsuit.

In a section of the OCR bulletin that was added during this week’s update, the office wrote that compliance with the rule lowers the risk of collected electronic PHI (ePHI) harming individuals as a result of unauthorized access.

“Therefore, OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies,” it wrote in the updated bulletin. “OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity and availability of ePHI.”