In December 2022, the Office of Civil Rights (OCR) issued a bulletin (2022 Bulletin) warning Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates about the use of online tracking technologies, that are often part of an entity’s website or mobile application. 

In the 2022 Bulletin, the OCR stated that when individually identifiable health information (IIHI), such as the individual’s medical record number, home or email address, dates of appointments, IP address or geographic location, is collected through a regulated entity’s website or app, that IIHI will generally be PHI, even if the individual does not have a relationship with the regulated entity and the IIHI does not include any treatment or billing information. 

Lawsuits

Following issuance of the 2022 Bulletin, a number of lawsuits were filled by hospitals and the American Hospital Association challenging the 2022 Bulletin as rulemaking by the OCR that did not follow the required notice and comment rules. 

While the hospitals and the AMA do not dispute that IIHI collected from an authenticated webpage (such as a patient portal or something similar) generally will be PHI, the main focus of the objection is the application of HIPAA to IIHI that is obtained through a covered entity’s unauthenticated webpages that are open to the public.

Corrected Bulletin 

During the litigation, the OCR issued a corrected bulletin (2024 Bulletin) on March 18, 2024, attempting to address the concerns raised in the litigation. The 2024 Bulletin clarified that the information collected by unauthenticated webpages will not constitute PHI if “the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.” 

The Bulletin provided examples that clarified that the individual’s intent for visiting an unauthenticated webpage would dictate whether the information captured would be considered PHI. For example, the Bulletin states that a student doing research on a particular disease would not create PHI, but an individual seeking a second opinion and treatment options for his or her brain tumor would create PHI. 

Additionally, the Bulletin maintains that tracking technologies on unauthenticated webpages that permit individuals to schedule appointments, to use a symptom-checker tool, to log into or to register for the regulated entity’s patient portal, may have access to PHI.

Criticism of the update to the Bulletin points out that it is impossible for a regulated entity to know the intent of the individual accessing the unauthenticated webpage. Therefore, the clarification in the Bulletin does not resolve the concerns expressed by regulated entities, and the lawsuits challenging the 2022 Bulletin are, therefore, still ongoing. 

Despite pushback, the 2024 Bulletin added a new section that states that investigating the use of online tracking technologies and HIPAA compliance is an OCR priority. OCR explained that it is interested in ensuring that regulated entities have assessed and mitigated risk, and implemented the HIPAA Security Rule requirements to ensure that ePHI is protected. 

District Court Decision 

In June 2024, a U.S. District Court judge overturned part of the 2024 Bulletin after determining that the OCR unlawfully expanded the definition of IIHI. The judge found that the HIPAA’s definition of IIHI is “unambiguous” and the 2024 Bulletin impermissibly broadened that definition to include reliance on an individual’s subjective motive for visiting an unauthenticated webpage. As a result, the judge overturned the portion of the 2024 Bulletin that related to use of tracking technologies on unauthenticated webpages. 

This ruling may have limited impact because: (1) the judge did not issue a permanent injunction against the Bulletin, which leaves it in effect in other jurisdictions and allows OCR to appeal the judgment, and (2) the class-action lawsuits currently pending against hospitals as a result of the 2024 Bulletin may continue in reliance on the portions of the Bulletin that relate to authenticated webpage data.

Darci M. Smith
410-576-4153 • dsmith@gfrlaw.com