AHA Urges OCR To Reconsider its Guidance on Tracking Technologies
The American Hospital Association (AHA) has urged the HHS’ Office for Civil Rights to rethink its guidance on online tracking technologies and to stop considering an IP address as a unique identifier under HIPAA with respect to pixels and other website tracking technologies.
OCR’s December 2022 guidance was issued in response to the widespread use of tracking technologies on healthcare provider websites. The tracking code, provided by third parties such as Facebook and Google, can be used for a variety of legitimate purposes that benefit healthcare providers and consumers. The tracking technologies record information about website visits, which includes the pages a user visits on the site, as well as options selected from drop-down menus and form data. That naturally can include information about medical conditions, and that information, together with a unique identifier – the user’s IP address – is often transferred to the provider of the tracking technology.
In the guidance, OCR explained that the IP address ties health information to an individual and is therefore protected health information subject to the HIPAA Privacy Rule as the website visitor is either a past, present, or future patient. The AHA considers this to be a much too broad interpretation and warns it “will result in significant adverse consequences for hospitals, patients and the public at large,” and suggests “by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information.”
There are many credible uses of tracking technologies that would potentially be lost based on the current guidance. “Analytics technologies allow hospitals to optimize their online presence to reach more members of the community, including members of the community most in need of certain healthcare information,” explained the AHA, while tracking technologies are used to help ensure non-English speakers have access to important health information, provide individuals with information about where healthcare services are located, and social media tools are used to drive traffic to websites containing trustworthy medical information. The AHA points out that tracking technologies need to be used with the help of third-party vendors, and those vendors will typically not sign business associate agreements and be subject to HIPAA.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences — including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals — for a problem that ultimately is not of their own making,” explained the AHA. The AHA has urged OCR to consider whether the guidance on online tracking technologies is necessary given the increased privacy protections outlined in the proposed modifications to the HIPAA Privacy Rule, to amend the guidance to better reflect the realities of the online activities by hospitals and health systems, or to seek public feedback before reissuing the guidance.
While the AHA has received negative feedback from its members on the tracking technology guidance, feedback on the proposed changes to the HIPAA Privacy Rule with respect to reproductive health information has been largely positive. “The prospect of releasing highly sensitive
The AHA and its members believe that the provision of medical care that is lawful in the location where it is provided should not carry adverse legal consequences and that the proposed Privacy Rule changes will enhance provider-patient relationships. With respect to the requirement for entities requesting health information to attest that they are not seeking to use the information to investigate or penalize the lawful provision of health care, the AHA welcomes the amendments, which it considers common sense. However, the AHA suggests other measures to decrease the burden on healthcare providers such as emphasizing in the final rule that hospitals and health systems will not be burdened by having to question the validity of an attester’s statements, provided the statements are reasonably objective. The AHA also suggests OCR should produce a model attestation form, stipulate that attestation forms include the subpoena or administrative order relevant to the legal process, and make it a requirement for requests to be made only for individuals, and never in bulk.