AHA Urges OCR to Suspend or Amend Online Tracking Guidance

May 30, 2023 - The American Hospital Association (AHA) urged the HHS Office for Civil Rights (OCR) to reconsider its December 2022 Online Tracking Guidance, suggesting that its definition of protected health information (PHI) may be too broad by including IP addresses as a unique identifier under HIPAA.

As previously reported, OCR issued its Online Tracking Guidance following a series of reports and breach notifications indicating that tracking technologies present on numerous hospital websites may have been transmitting sensitive data back to tech companies such as Meta and Google.

OCR’s guidance outlined the dos and don’ts of using tracking tech as a HIPAA-covered entity or business associate, with an emphasis on ensuring that business associate agreements (BAAs) are in place.

“For example, if an individual makes an appointment through the website of a covered health clinic for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor,” OCR noted. “In this case, the tracking technology vendor is a business associate and a BAA is required.”

But in a letter from the AHA’s General Counsel and Secretary Melinda Reid Hatton to OCR Director Melanie Fontes Rainer, the AHA expressed concerns about the broad nature of the guidance, despite the fact that HHS has long recognized IP addresses as a unique identifier under HIPAA.

The AHA voiced its support for finalizing a proposed rule that would provide additional patient privacy protections to individuals seeking reproductive care, but disagreed with elements of the Online Tracking Guidance.

“The AHA understands that this guidance may have been motivated — at least in part — by the same concerns as the proposed rule. Regrettably, the Online Tracking Guidance errs by defining PHI too broadly — specifically, to include all IP addresses,” the letter stated. “As a result, the guidance will inadvertently impair access to credible health information. It should be suspended or amended immediately.”

Specifically, the AHA suggested that the guidance “aggravates the risk of health misinformation by treating a mere IP address as a unique identifier under HIPAA.”

The AHA urged OCR to contemplate whether the guidance remains necessary considering the heightened privacy protections mentioned in the proposed rule, and encouraged the Office to seek public comment before reissuing the guidance or rescinding it altogether.

Hatton suggested that the designation of IP addresses as a unique identifier under HIPAA may serve as a barrier to hospitals and health systems, many of which implement analytics technologies and other tools to “improve community access to health information.”

“Hospitals can only use these technologies with the help of third party vendors. But those vendors often refuse to comply with the Online Tracking Guidance because they are not subject to HIPAA’s strictures. Hospitals are now caught in the middle,” the AHA continued. 

“The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences — including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals — for a problem that ultimately is not of their own making.”

A recent study published in Health Affairs found third-party tracking tech present on nearly all United States nonfederal acute care hospital websites.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” the study suggested.

“These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

Researchers suggested that hospitals consult with their legal department before implementing any third-party tools. First and foremost, hospitals have an obligation to protect patient privacy