News & Insights


March 25, 2024

Health Headlines – March 25, 2024


OCR Issues Revised Guidance on Use of Online Tracking Technologies as AHA Lawsuit Looms—On March 18, 2024, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) updated the guidance first issued in December 2022 regarding the use of online tracking technologies in the public-facing websites of HIPAA-regulated entities, including hospitals and health systems (the Revised Bulletin).  As originally published, the OCR guidance bulletin (the Original Bulletin), entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” defined individually identifiable health information (IIHI) to include information shared with third-party web technology vendors not only in the case of access to patient-specific health information from user-authenticated webpages, like a patient portal, but also to include information regarding use of unauthenticated webpages that might only link a search regarding a provider’s service capabilities with an individual’s e-mail or IP address. As discussed in more detail below, the American Hospital Association (AHA) filed a lawsuit in November 2023 challenging the Original Bulletin, particularly with respect to its conclusions about use of unauthenticated webpages.

In July 2023, the Director of OCR issued warning letters to approximately 130 hospital systems and telehealth providers, encouraging them to take action on the Original Bulletin and warning that the OCR is “closely watching developments in this area,” and later confirmed via press release that the OCR “will use all of its resources to address” purportedly impermissible disclosures of health information under its guidance.

Now, the OCR has clarified that, without more, the connection between an individual unauthenticated website user’s IP address or other identifying information with the information that the user visited the covered entity’s website is not sufficient to constitute IIHI. Although the Revised Bulletin does not mention the AHA lawsuit, this modification may have been inspired by it. Similarly, the Revised Bulletin also provides examples demonstrating when the use of tracking technologies does not result in the creation of IIHI, including:

  • When a user merely visits a hospital’s webpage that provides information about job postings or visiting hours, and web tracking technologies collect information about that user’s visit to the site including the IP address, geographic location, or other identifying information.

However, according to the Revised Bulletin, if the tracking technology collects an individual’s email address along with information about the individual’s reason for seeking healthcare, makes an appointment with a provider, or enters symptoms into an online diagnosis tool, that would constitute a disclosure of PHI to the third-party tracking technology vendor, and the HIPAA rules would apply.  In such instances, the Revised Bulletin further specifies that the covered entity can either enter into a BAA with the third-party technology provider or enter into a BAA with a Customer Data Platform vendor that will de-identify the data before it is shared with the technology provider.

This Revised Bulletin comes in the context of a lawsuit filed by the AHA in November 2023 challenging the Original Bulletin  See, American Hospital Association, et al. v. Rainer et al., Case 4:23-cv-01110-P.   According to the AHA’s complaint, the OCR’s guidance would interfere with numerous third-party technologies used by hospitals and health systems to enhance their websites, including:

  • Analytics tools, which convert users’ interactions with hospital webpages into data such as the level of concentrations of community concern with particular health issues;
  • Video technologies, which allow hospitals to offer a wide range of health education videos to the public or visually tour facilities;
  • Translation technologies to help non-English speakers access healthcare information; and
  • Map and location technologies, which help provide better and more useful information about where healthcare services are available.

The AHA’s complaint goes on to allege that a number of the federal government’s own HIPAA-covered entity websites, including Medicare and the Veterans’ Administration, would be in violation of OCR’s Original Bulletin based on the third-party technology tools utilized by their websites.  The Complaint also alleges that a federal district court in the Northern District of Illinois has already concluded that “[t]he interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what [HIPAA] can bear.” 

The Complaint alleges that the rule exceeds HHS’ authority because the definition of IIHI adopted by HHS goes beyond the statutory and regulatory definitions set forth in 42 U.S.C. § 1320d and 45 C.F.R. § 160.103 because it reaches information not covered under either definition; that the Original Bulletin constitutes an arbitrary and capricious rulemaking because HHS provided no reasoning for its assertion that there is a connection between the person who visits a website and the specific health-related information on that webpage, and because OCR did not acknowledge or weigh the consequences to health facilities of its guidance; and that the guidance is invalid because it is a legislative rule for which HHS was required to undertake notice and comment rulemaking in compliance with the APA.

On January 12, 2024, seventeen state hospital associations and thirty separate hospitals and health systems filed friend-of-the-court briefs supporting the AHA’s motion for summary judgment filed in the lawsuit.

The Original Bulletin  can be found here, and the Revised Bulletin is here.  The Complaint filed by the AHA can be found here.  The Plaintiffs’ brief in support of their motion for summary judgment can be read here.  The friend-of-the-court brief submitted by hospitals and health systems in support of Plaintiffs’ motion for summary judgment is here.  The brief submitted by state hospital associations is here.

Reporter, David Tassa, Los Angeles, +1 213 443 4335,