The ongoing saga of how to use tracking technology in healthcare without causing problems under HIPAA got a new chapter on March 18, 2024. The new chapter is the result of the Office for Civil Rights updating its guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”
The updates offer more examples around the supposedly clear-cut statements from OCR about tracking technology use. Arguably some wholesale changes may have been more beneficial, but the tweaks do offer some helpful clarifications. Since OCR did not clearly call out where it placed the changes, it is instructive to reference the guidance in its original state, which is thankfully possible with all of the internet archiving services.
For some additional thoughts about the original guidance and the frustration that it engendered, check out the following earlier posts: Tracking Tools and Privacy Gaps and Shading the Gray for Tracking.
The First Set of Changes
The first set of changes is found in the “Tracking on unauthenticated webapges” section of OCR’s guidance. New examples are offered up to aid interpretation of the guidance.
It appears that OCR intends for the examples to provide somewhat clearer dividing lines between information that constitutes PHI or not. The first example focuses on a webpage visitor seeming to look for information about a hospital, such as job postings or visiting hours. In those instances, OCR notes that information collected by tracking technology is unlikely to be PHI even if it is clearly identifiable. OCR states that information collected from these visits does not relate to an individual’s past, present, or future health, healthcare, or payment for healthcare, all of which are prerequisites for the information to become PHI.
The second example is a student looking at the scope of oncology services in connection with writing a term paper. OCR notes that even though tracking technology is collected on pages relating to potential healthcare services, the research does not relate to a situation that meets the definition of PHI.
The third example is an individual visiting a hospital’s oncology services webpage to seek a second opinion or treatment options. In that instance, OCR feels that information collected by tracking technology would constitute PHI because it relates to seeking treatment.
The final example is an expansion from a point made in the original guidance that relates to scheduling an appointment or using an online symptom checking tool, both on an unauthenticated webpage. Scheduling an appointment would clearly relate to healthcare services since the individual has booked time with a clinician. The online symptom checker is a little looser, but can be seen as seeking information about a current health condition.
The new examples concerning the unauthenticated pages appear helpful at first glance. The first example responds to some of the criticism that not every visit to a healthcare facility’s webpage relates to an individual’s health. Calling out areas of the webpage where it would be a stretch to say that the webpage visitor is revealing something about their health is helpful.
However, the other examples introduce intent into the analysis. Pulling out statements from the examples, there is a student writing a term paper contrasted with a different person looking at the same information for a second opinion. How can the operator of a website know why some unknown individual is looking at a particular webpage? Is there a form or other indicator where the visitor can check off why they are on the page? Will the interaction with the page somehow reveal the reason for visiting the webpage? The answer to those questions is very likely no, which is why the guidance will now likely raise new questions. Instead of offering clarity, the guidance could arguably support one of two competing arguments, one of which is all visits unless clearly indicated otherwise are innocuous and not subject to HIPAA or all visits will be treated as creating PHI that requires compliance with HIPAA.
Enforcement Priorities
The final major addition is the identification of OCR’s enforcement priorities. OCR noted that its investigations and enforcement will focus compliance with the HIPAA Security Rule. Specifically, OCR wants to make sure that entities are properly assessing and mitigating risks to PHI when tracking technologies are being used. OCR gives the caveat that each investigation is driven by the particular facts and it will review technical information in its review. However, the clear between the lines implication is that some enforcement is coming and the industry should be ready for a headline.
The trouble with knowing where enforcement will focus is how the complaint could come in. Given the noted deficiencies with the new examples, will a user who only internally knows the reason for their visit to a hospital’s webpage submit a complaint when tracking technology captures their information after seeking information about a condition? Will OCR take that individual’s word at face value when it is completely unknowable to the entity that uses the tracking technology? That scenario could easily create the setup for a public fight that does not benefit anyone.
Conclusion
Given the position laid out by OCR, expect renewed calls for clarification or modification to the guidance from the healthcare industry. The examples while seemingly helpful only create a strong likelihood of more complications. Those complications could result in public disputes or some organizations trying to take advantage of perceived loopholes. Regardless of the perspective, probably the only certainty is that the discussion around tracking technology is still far from settled.
The Pulse 