On March 18, 2024, the US Department of Health & Human Services (HHS) updated its guidance on online tracking technologies and HIPAA compliance to provide more clarity to the healthcare community. The original guidance, released in December 2022, sent many healthcare marketers reeling as they scrambled to find information and solutions to adjust long-accepted norms in data collection for marketing.

The March updates may have come as a response to the American Hospital Association’s appeal to congress and subsequent lawsuit asking HHS to walk back the far-reaching impact of the guidance. But the most important takeaway from the updates is that while HHS wants to provide more clarity to help organizations navigate these standards, it’s clear that they have no intention of backing down and every intention to pursue action moving forward.

What are the updates to the HHS Guidance on online tracking technologies?

Below is a breakdown of the changes in the latest update. Please note that Full Media is a digital marketing agency and not qualified to give legal advice. For a legal opinion on the latest update, visit Holland & Knight’s article, reach out to your internal legal counsel or email Full Media for a referral to a healthcare-focused attorney.

IP address + certain pages create individually identifiable health information.

HHS clarified that collecting an IP address in and of itself may not be an issue, but when the IP address is collected alongside pageview data or any other data that may indicate an individual’s health conditions, that is an issue. They provide a few specific examples:

For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s PHI to tracking technology vendor. 

However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care. 

- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

If you plan to utilize a strategy where you deploy certain code on some pages and not on others, it’s important to work with a vendor who understands the guidance well and who you can trust to execute a granular tracking strategy. Another way to handle this would be to have separate domains or subdomains for careers, fundraising, academic information and more. 

It’s also important to understand that single-specialty healthcare organizations should use an abundance of caution. For a health system or hospital, a visit to their homepage doesn’t indicate much about a person’s health concerns, but if your organization only provides a specific service, most of the pages on your website could point to an individual’s specific health care needs.

Consent management isn’t enough.

In the era of privacy laws like the GDPR and CCPA, it’s become common to have pop-up windows, check boxes or other ways for individuals to consent to the privacy policy and terms of service of a website. HHS clarifies that consent management does not allow healthcare providers to send patient information, like IP addresses, to non-HIPAA compliant tracking platforms. They state that to collect this information and send it to a non-HIPAA compliant environment, the healthcare organization would need an explicit HIPAA authorization from each website user prior to the PHI being exposed to the third-party vendor.

Any disclosure is a problem.

HHS states that:

Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.

- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

Google Analytics 4 (GA4) has presented some unique questions because it does not collect or store IP addresses. GA4 accesses the user’s IP address as users are cookied in the browser window. From there, it infers certain geographic information from the IP address, then it only passes along the geographic information into its servers. 

HHS’s latest clarification indicates they view any disclosure as an issue and that the crux of the problem is that the healthcare organization has made that information usable to a third-party vendor that is not secured under a BAA. 

HHS provided specific recommendations.

One of the biggest issues with the original guidance was that it seemed to offer no clear pathway to compliance. Some organizations yanked all tracking pixels off their website immediately out of an abundance of caution. Many felt uncomfortable with the safety of any solution. The new guidance offers more solutions.

1.    They recommended selecting an analytics platform that would sign a BAA.

A regulated entity should evaluate its relationship with a tracking technology vendor to determine whether such vendor meets the definition of a business associate and ensure that the disclosures made to such vendor are permitted by the Privacy Rule.

- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

2.    They greenlit the selection of a vendor that would sign a BAA to help de-identify the data collected on a website before sending it along to an analytics platform like Google Analytics or Meta Ads.

If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.

- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

HHS ain't kidding.

HHS ended its guidance by pointing out that OCR is prioritizing compliance and investigations related to the usage of online tracking technologies. They note that their primary interest in ensuring that healthcare organizations have identified, assessed, and mitigated their risks when it comes to the unpermitted disclosure of ePHI. They also note that they will consider all available evidence. 

This is a great invitation for organizations to document their due diligence and research, as well as choose vendors who are knowledgeable and doing the research too. 

Next Steps

Customer Data Platforms (CDP) are great options, especially for organizations looking to connect data sets across disparate platforms, like CRMs, sales platforms, EMRs and analytics platforms. But they’re costly and labor intensive, which may put them out of reach for organizations with small budgets. 

Full Media stood up our server-side Google Tag Manager service to provide a lower-labor, cost-effective option for practices that just want to run Google Analytics while preventing Google from collecting data they shouldn’t. Google Analytics has been the platform of choice for healthcare organizations for decades, offering high-quality, free service that helps organizations stay competitive and use their marketing dollars wisely. Similar to a CDP, our service offers a way to certain information from the data stream before a third-party vendor like Google Analytics can access it. We also offer consulting and guidance on analytics and HIPAA compliance, no matter which direction your organization is looking to move! Reach out to us today to set up a time to talk.