AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

by | May 30, 2023 | Data Breach Laws, FTC (Federal Trade Commission), Government Enforcement, Legislation & Rulemaking

  • AHA encourages OCR to publish its long-awaited Final Rule adopting proposed amendments to the HIPAA Privacy Rule which it views as providing sufficient expanded protection for patients’ sensitive health information (e.g., reproductive health).

  • AHA encourages OCR to retract or amend its Online Tracking Guidance, or otherwise seek public comment on HIPAA compliance with online tracking issues.

  • AHA encourages OCR to work with the FTC to identify third party technology vendors that refuse to protect health information.

Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023! 

The American Hospital Association (AHA) has published its May 22, 2023 letter (.pdf) written to HHS Director Fontes Rainer expressing “serious concerns” about OCR’s December 2022 guidance on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Online Tracking Guidance”) (you can also visit AHA’s website to view its published letter). For months now, hospitals, health systems and other health care organizations have been voicing their concerns about OCR’s latest overbroad interpretation of what is “protected health information”– so, it’s good to see AHA finally chime in on this important debate.

Among other things, the AHA letter asserts that OCR has “put hospitals to the ‘Hobson’s Choice’ created by the December 2022 Online Tracking Guidance” (although, I’m thinking it’s more of a Morton’s Fork dilemma). In any case, here is a summary list of the points and suggestions AHA makes in its letter:

Negative Impact of the Online Tracking Guidance

  • The Online Tracking Guidance errs by defining PHI too broadly — specifically, to include all IP addresses. This will inadvertently impair access to credible health information.  AHA includes valid reasons why an IP address by itself should not be considered PHI subject to HIPAA:
    1. An IP address is simply a long string of numbers assigned to every device connected to a network that uses the Internet. The IP address identifies the computer, smart phone, tablet or other device, whether it is in someone’s home, office, a public library, apartment building or somewhere else. Therefore, a device could be associated with a particular person or it could be shared by many different people.
    2. An IP address can include consumers who are not actually seeking medical care. Consumers may merely be looking for information about visiting hours, facility locations, cafeteria menus or any of the multitude of reasons one might go to a hospital’s website.
    3. An IP address provides no indication whatsoever whether the person using that computer is a potential patient, a friend or relative of that patient, or just a curious online visitor.  
  •  Hospitals use valuable online tools that sometimes require them to provide IP addresses to third-party vendors. If hospitals and health care systems are forced to restrict the use of certain technologies that help improve community access to health information, it will negatively impact the following:
    1.  Analytics technologies, which allow hospitals to optimize their online presence to reach more members of the community, including members of the community most in need of certain healthcare information.
    2. Translation services allow hospitals to contract with third parties to translate parts of their websites so that non-English speakers can access vital healthcare information.
    3. Map and location applications allow hospitals to use third-party services to provide better information about where healthcare services are provided.
    4. Social Media is used by hospitals to drive traffic to websites containing trustworthy sources of information. Underserved and minority groups will be particularly disadvantaged if hospitals and health systems can no longer rely on social media to put out credible health information.
  •  Third party technology vendors used by hospitals often refuse to comply with the Online Tracking Guidance because they are not subject to HIPAA leaving hospitals and health systems at risk of serious consequences — including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portal.

  • OCR’s Online Tracking Guidance has caused Google (and many other similar vendors) to abandon support of hospitals and health systems, while presumably not abandoning support of more questionable sources of health-related “information” that are not subject to HIPAA. In response to the Online Tracking Guidance, Google refuses to enter into any HIPAA BA agreements with hospitals. This leaves hospitals with only two choices: (1) simply stop using Google Analytics (and lose all of the benefits it provides to patients and communities) or (2) continue using Google Analytics and accept the substantial legal and other risks associated with doing so.

AHA’s Recommended Actions

  • OCR should finalize its proposed amendments to its Privacy Rule ASAP (after all, it’s been over two years since the changes were published in Jan 2021!).
  • OCR should suspend its December 2022 Online Tracking Guidance immediately.
  • If OCR concludes that the Online Tracking Guidance should remain effective, OCR should amend the guidance to make clear that:
    1. IP addresses alone do not qualify as unique identifiers under HIPAA because they do not individually identify a person; or
    2. If OCR nonetheless wishes to protect IP addresses, it do so only for IP addresses provided via authenticated (i.e., nonpublic) webpages like password-protected patient portals that are more likely to contain private personal health information.
  • If OCR is unwilling to make these changes, it should seek public comment via an RFI or notice-and-comment rulemaking (rather than issuing sub-regulatory guidance that did not benefit from any input by regulated entities).
  • Because any issues related to the release of IP addresses to third parties is ultimately caused by the decisions of third-party vendors, it seems more suited to regulation by the FTC — not OCR. Therefore, OCR should work with the FTC to identify and regulate third parties that refuse to protect health information.

In all, AHA nicely lays out the issues created by OCR’s Online Tracking Guidance and offers reasonable suggested actions that HHS can take. Now, we wait to see if and how HHS responds.

Print Friendly, PDF & Email
Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives