Your Guide to The New Office for Civil Rights (OCR) Guidelines Regarding the Use of Online Tracking Technologies

The bulletin released by the Office for Civil Rights at the US Department of Health and Human Services (HHS) in October 2022 offered specific guidelines regarding the use of online tracking technologies by HIPAA. This led to a major overhaul in how HIPAA-regulated entities performed online visitor tracking and analytics.

Following the bulletin, the American Hospital Association (AHA) initiated a lawsuit challenging the broad interpretation of electronic Protected Health Information (PHI) laid out in the Office for Civil Rights (OCR) Bulletin.

On March 18, 2024, the OCR updated the guidance to provide additional clarity. Given Tealium’s experience in the healthcare industry and with regulatory compliance, we have been receiving several questions from our healthcare customers and partners about these updates. We have created this FAQ to help you understand the revised OCR guidance and aid you in your HIPAA compliance journey.

What is the reason behind OCR issuing the revised guidance?

While the exact reason remains unclear, it is widely believed that the new guidance was issued in response to the AHA lawsuit.

What is new in the revised guidance?

In the revised guidance, the OCR acknowledges that the mere fact that an IP address can be tied to a website visit does not make it Protected Health Information (PHI) as the visit may not be related to an individual’s past, present, future health, healthcare, or payment for healthcare. Therefore, transmitting this information to a vendor does not constitute PHI disclosure.

However, the revised guidance confirms OCR’s position that even anonymous visitors to a regulated entity’s website can be potential patients in certain scenarios and that the transmission of PII and website visit data in these scenarios qualifies as PHI disclosure.

The revised guidance also explains how regulated entities may share health information with tracking technology vendors that won’t sign a Business Associate Agreement (BAA) with the regulated entity.

Did the OCR offer any examples of visits that may not be related to an individual’s past, present, or future health, healthcare, or payment for healthcare?

Yes. The revised guidance offers a few examples within the context of unauthenticated web pages.

1. A visit to a webpage that provides information about the regulated entity’s job postings or visiting hours would not involve a disclosure of PHI. 
2. Transmitting the IP address of a student visiting a web page on oncology services offered by the regulated entity to write a term paper would not involve disclosure of PHI.

Does that mean visits to unauthenticated web pages don’t fall under HIPAA?

No. There are scenarios where the collection and transmission of visit data to unauthenticated web pages constitutes PHI disclosure. For example, if a user visits a regulated entity’s unauthenticated webpage to make an appointment with a healthcare provider, or enters symptoms in an online tool for analysis, etc. the collection and transmission of information on this visit and Personally Identifiable Information (PII) constitutes PHI disclosure.

But a user visiting a webpage on oncology services may, in fact, be seeking treatment. Similarly, a user visiting an unauthenticated page to make an appointment or enter symptoms in an online tool may be a researcher or a family member of a patient. Is there any further clarity around this?

Unfortunately, no. The revised guidance seems to suggest whether the transmission of PII and website visit data qualifies as disclosure depending on the intent of the website visitor.

However, if a webpage is unauthenticated, there is no easy way for the HIPAA-regulated entity to discern a visitor’s intent.

This means regulated entities would be wise to treat every anonymous visitor as a potential patient and take measures to protect their privacy.

How may a regulated entity share health information with a vendor that won’t enter into a BAA?

In the absence of a BAA, a regulated entity can only disclose PHI to a vendor with the individual’s authorization.

However, such authorization cannot always be obtained. The revised guidance does seem to acknowledge this.

The revised guidance states that if a tracking technology vendor won’t sign a BAA, the regulated entity can choose to establish a BAA with another vendor, such as a Customer Data Platform, to de-identify online tracking information that includes PHI and then subsequently disclose de-identified information to technology vendors that are unwilling to sign a BAA.

Key Takeaways

• With this revised guidance, the OCR acknowledges that not all website visits are related to an individual’s past, present, and future health, healthcare, or payment for healthcare. Therefore, transmitting this information to a vendor does not constitute PHI disclosure.
• Additionally, the revised guidance also confirms that anonymous visitors can be potential patients in certain scenarios.
• The guidance doesn’t seem to provide any clear ways to discern an anonymous visitor who is a potential patient as opposed to an anonymous visitor who is, say, a researcher. In the absence of clear guidelines, regulated entities should treat any anonymous visitor as a potential patient and handle the online tracking information accordingly.
• The guidance makes it clear that if a tracking technology vendor won’t enter into a BAA, the regulated entity may enter into a BAA with a vendor such as a Customer Data Platform to de-identify online tracking information containing PHI before sharing it with vendors that are unwilling to sign a BAA.

Tealium connects customer data across web, mobile, offline, and IoT so businesses can better connect with their customers. Our solutions include a Customer Data Platform (CDP) with machine learning, tag management, an API hub, and data management solutions. We created the industry’s first-ever CDP that enables HIPAA compliance, which allows you to securely collect, manage, and transmit patient data. Tealium’s marketplace offers 1300+ integrations with advanced data mapping capabilities helping you achieve control over which vendor receives what data.

For additional resources, please explore our webinars, Securing HIPAA Compliance: PII in A Digital Era and Solved! Marketing Analytics and Campaign Privacy Compliance.

Disclaimer: The information provided here is not intended to be, and does not constitute legal advice. This is merely our point of view on the recent guidance from the OCR and what it may mean to your organization. Please contact your legal team before you act on the information provided here.