AHA: OCR Tracking Technology Rule Violates HIPAA Regulations

October 04, 2023 - The American Hospital Association (AHA) has urged Congress and the HHS Office for Civil Rights (OCR) to withdraw the rule related to online tracking technologies, arguing that it violates HIPAA regulations.

AHA’s comments are in response to a request for information issued by US Senator Bill Cassidy (R-LA) on improving health data privacy and modernizing HIPAA.

AHA highlighted how the current HIPAA rules effectively protect patient health data. Thus, the group opposed any changes to the regulations, as adjustments would likely create more challenges than benefits.

However, the organization mentioned two issues that Congress should change.

First, leaders should urge OCR to withdraw its guidance on HIPAA covered entities’ use of online tracking technologies.

The guidance, released in December 2022, says that when an online technology connects an individual’s IP address with a visit to a public webpage that addresses specific health conditions or providers, that information is subject to restrictions on use and disclosure under HIPAA. This means website visitors’ IP addresses are protected even if they are not seeking medical care.

“In OCR’s misguided view, the same HIPAA protections apply if visitors search for a medical service for a friend or relative; if they are seeking general health information (e.g., information about flu season or symptoms of an unknown illness); or if they are conducting academic research for a study of data on hospitals’ websites,” AHA wrote.

The organization argued that the rule violates HIPAA regulations and is also bad public policy. The letter noted that hospitals and health systems use various third-party technologies to improve their websites as part of their information-sharing efforts.

For example, video technologies allow hospitals to offer a range of public information, analytics tools convert users’ interactions with hospital webpages into critical data, and map and location technologies lead to better information on where healthcare services are available.

If OCR’s rule remains in place, hospitals and health systems will have to restrict the use of these technologies, AHA said. Furthermore, the issue could be exacerbated if third-parties decline to sign business associate agreements (BAAs) that ensure they protect private patient information.

“Hospitals and health systems are caught between OCR enforcement and these third-party vendors. Community members and public health are ultimately suffering the consequences of not having the most reliable health information available to them because hospitals and health systems cannot risk the serious consequences that flow from OCR’s unlawful rule, including HIPAA enforcement actions, class action lawsuits or the loss of significant investments in existing websites,” AHA’s letter stated.

AHA requested that Congress consider other options for requiring entities not covered by HIPAA to protect patient privacy, particularly third-party entities that do not sign BAAs.

The second issue the trade organization brought up was the variety of state and federal privacy requirements that create unnecessary regulatory burdens. AHA recommended Congress enact full federal preemption for HIPAA to create a more uniform, nationwide standard.

The existing combination of state and federal standards is a barrier to the sharing of patient information necessary for coordinated clinical treatment, according to AHA.

“If Congress were to make any changes to HIPAA, it should address this problem and enact a full preemption provision,” the organization wrote. “HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, it strikes the appropriate balance between health information privacy and valuable information-sharing. Varying state laws only add costs and create complications for hospitals and health systems.”