The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AHA Urges OCR To Reconsider its Guidance on Tracking Technologies

Posted By on May 24, 2023

The American Hospital Association (AHA) has urged the HHS’ Office for Civil Rights to rethink its guidance on online tracking technologies and to stop considering an IP address as a unique identifier under HIPAA with respect to pixels and other website tracking technologies.

OCR’s December 2022 guidance was issued in response to the widespread use of tracking technologies on healthcare provider websites. The tracking code, provided by third parties such as Facebook and Google, can be used for a variety of legitimate purposes that benefit healthcare providers and consumers. The tracking technologies record information about website visits, which includes the pages a user visits on the site, as well as options selected from drop-down menus and form data. That naturally can include information about medical conditions, and that information, together with a unique identifier – the user’s IP address – is often transferred to the provider of the tracking technology.

In the guidance, OCR explained that the IP address ties health information to an individual and is therefore protected health information subject to the HIPAA Privacy Rule as the website visitor is either a past, present, or future patient. The AHA considers this to be a much too broad interpretation  and warns it “will result in significant adverse consequences for hospitals, patients and the public at large,” and suggests “by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information.”

There are many credible uses of tracking technologies that would potentially be lost based on the current guidance. “Analytics technologies allow hospitals to optimize their online presence to reach more members of the community, including members of the community most in need of certain healthcare information,” explained the AHA, while tracking technologies are used to help ensure non-English speakers have access to important health information, provide individuals with information about where healthcare services are located, and social media tools are used to drive traffic to websites containing trustworthy medical information. The AHA points out that tracking technologies need to be used with the help of third-party vendors, and those vendors will typically not sign business associate agreements and be subject to HIPAA.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

“The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences — including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals — for a problem that ultimately is not of their own making,” explained the AHA. The AHA has urged OCR to consider whether the guidance on online tracking technologies is necessary given the increased privacy protections outlined in the proposed modifications to the HIPAA Privacy Rule, to amend the guidance to better reflect the realities of the online activities by hospitals and health systems, or to seek public feedback before reissuing the guidance.

While the AHA has received negative feedback from its members on the tracking technology guidance, feedback on the proposed changes to the HIPAA Privacy Rule with respect to reproductive health information has been largely positive. “The prospect of releasing highly sensitive

Member Login

can result in medical mistrust and the deterioration of the confidential, safe environment that is necessary to quality health care, a functional health care system, and the public’s health generally,” wrote Melinda Reid Hatton, AHA General Counsel and Secretary in the comments for OCR. “If individuals believe that their PHI may be disclosed without their knowledge or consent to initiate criminal, civil, or administrative investigations or proceedings against them or others based primarily upon their receipt of lawful reproductive health care, they are likely to be less open, honest, or forthcoming about their symptoms and medical history.”

The AHA and its members believe that the provision of medical care that is lawful in the location where it is provided should not carry adverse legal consequences and that the proposed Privacy Rule changes will enhance provider-patient relationships. With respect to the requirement for entities requesting health information to attest that they are not seeking to use the information to investigate or penalize the lawful provision of health care, the AHA welcomes the amendments, which it considers common sense. However, the AHA suggests other measures to decrease the burden on healthcare providers such as emphasizing in the final rule that hospitals and health systems will not be burdened by having to question the validity of an attester’s statements, provided the statements are reasonably objective. The AHA also suggests OCR should produce a model attestation form, stipulate that attestation forms include the subpoena or administrative order relevant to the legal process, and make it a requirement for requests to be made only for individuals, and never in bulk.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist