Tracking technologies and health care law

Listen to this article

In December 2022, the Office of Civil Rights issued a bulletin warning entities and business associates covered by the Health Insurance Portability and Accountability Act about the use of online tracking technologies that are often part of an entity’s website or mobile application.

In the 2022 bulletin, the OCR stated that when individually identifiable health information (IIHI), such as the individual’s medical record number, home or email address, dates of appointments, IP address or geographic location, is collected through a regulated entity’s website or app, that IIHI will generally be personal health information and subject to HIPAA, even if the individual does not have a relationship with the regulated entity and the IIHI does not include any treatment or billing information.

Lawsuits

Following issuance of the 2022 bulletin, a number of lawsuits were filled by hospitals and the American Hospital Association challenging the bulletin as rulemaking by the OCR that did not follow the required notice and comment rules.

While the hospitals and the AMA do not dispute that IIHI collected from an authenticated webpage (such as a patient portal or something similar) generally will be personal health information, the main focus of the objection is the application of HIPAA to IIHI that is obtained through a covered entity’s unauthenticated webpages that are open to the public.

Corrected bulletin

During the litigation, on March 18, 2024, the OCR issued a corrected bulletin attempting to address the concerns raised in the litigation. The 2024 bulletin clarified that the information collected by unauthenticated webpages will not constitute personal health information if “the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.”

The updated bulletin provided examples that clarified that the individual’s intent for visiting an unauthenticated webpage would dictate whether the information captured would be considered personal health information. For example, the bulletin states that a student doing research on a particular disease would not create personal health information, but an individual seeking a second opinion and treatment options for his or her brain tumor would create personal health information.

Additionally, the bulletin maintains that tracking technologies on unauthenticated webpages that permit individuals to schedule appointments, to use a symptom-checker tool, to log into or to register for the regulated entity’s patient portal, may have access to personal health information.

Criticism of the update to the bulletin points out that it is impossible for a regulated entity to know the intent of the individual accessing the unauthenticated webpage. Therefore, the clarification in the 2024 bulletin does not resolve the concerns expressed by regulated entities, and the lawsuits challenging the 2022 bulletin are, therefore, still ongoing.

Despite pushback, the 2024 bulletin added a new section that states that investigating the use of online tracking technologies and HIPAA compliance is an OCR priority. OCR explained that it is interested in ensuring that regulated entities have assessed and mitigated risk, and implemented the HIPAA Security Rule requirements to ensure that ePHI is protected.

District Court decision

In June 2024, a U.S. District Court judge overturned part of the 2024 bulletin after determining that the OCR unlawfully expanded the definition of IIHI. The judge found that the HIPAA’s definition of IIHI is “unambiguous” and the 2024 bulletin impermissibly broadened that definition to include reliance on an individual’s subjective motive for visiting an unauthenticated webpage.
As a result, the judge overturned the portion of the 2024 bulletin that related to use of tracking technologies on unauthenticated webpages. While the government initially filed an appeal of this decision, the government subsequently withdrew that appeal.

This ruling may have limited impact because: (1) the judge did not issue a permanent injunction against the bulletin, which leaves it in effect in other jurisdictions, and (2) the class-action lawsuits currently pending against hospitals as a result of the 2024 bulletin have continued in reliance on factors distinguishing those lawsuits from the considerations of the U.S. District Court in the AMA lawsuit and on state privacy laws as well as Federal Trade Commission data privacy regulations.

Barry F. Rosen heads Gordon Feinblatt’s health care practice group, and can be reached at 410-576-4224 or [email protected]. Darci M. Smith is a member of Gordon Feinblatt’s health care practice group, and can be reached at 410-576-4153 or [email protected].