On March 21, 2024, the U.S. Department of Health and Human Services (HHS) provided their legal position concerning the use of tracking technologies on hospital and other healthcare provider websites and apps in the legal action brought by the American Hospital Association (AHA) in federal court.
Filed on November 2, 2023, that action challenges a healthcare data privacy Bulletin issued by the HHS Office for Civil Rights (OCR) that places conditions on HIPAA-regulated entities’ use of third-party tracking technologies on their webpages that “impermissibly disclose” Individually Identifiable Health Information (IIHI) as part of a “Proscribed Combination.”
According to the AHA, a Proscribed Combination occurs when an individual’s IP address is combined with a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers.
HHS did not file an Answer in the case but has now made its positions clear in its brief in opposition to AHA’s motion for summary judgment and in support of its own summary judgment motion.
LARGER SIGNIFICANCE OF CASE
The case is important both because of the potential harm resulting from violations of privacy, but also the public’s need for reliable health and health-related information, which the AHA claims the holdings found in the Bulletin make harder to provide.
As stated in HHS’s brief, a tracking technology is “a computer code or script embedded in a webpage that harvests data about users who navigate to and interact with the webpage.” This can include the following:
- The title and contents of the webpage visited;
- User’s interactions on a website – including what information they enter or click on while there and what links or search terms brought them there; and
- Information about the user, such as email or IP addresses.
According to HHS, the data can be shared with “outside companies for uses ranging from website analytics and usability testing to creating user profiles and targeted advertising.”
Potential harm from the loss of privacy can take the form of threats of theft, embarrassment, and unwanted intrusion into the sensitive details of their lives.
On the other hand, in its Complaint, the AHA makes note of beneficial information-sharing efforts aided by tracking technology via hospital websites such as:
- Analytical tools that can convert web users’ interactions with hospital webpages, allowing them to “more effectively allocate their medical and other resources;”
- Video technologies that help educate the community about particular health conditions, among other uses;
- Translation technologies that help non-English speakers “access vital healthcare information;” and
- Map and location technologies that provide better information about where healthcare services are available.
DISTINCTION BETWEEN GENERAL WEBPAGE VISITS AND HEALTH-RELATED VISITS
Among the most important positions HHS takes is that general visits to Unauthenticated Public Webpages and health-related visits to such pages must be distinguished, claiming that the AHA fails to do so.
Noting that the original Bulletin was revised on March 18, 2024, HHS states that the revision makes clear that “the mere fact that an online tracking technology connects [an] IP address … with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination to constitute IIHI.” Therefore, it does not constitute an impermissible disclosure of Protected Health Information (PHI) under the HIPAA Privacy Rule. For the rule to apply, the agency states that the visit must additionally relate to “an individual’s past, present, or future health, health care, or payment for health care.”
It further states that “common sense dictates that at least some users who visit [the webpages in question] are doing so to learn information about their own medical conditions, to inquire about specific medical practices or providers for the purpose of obtaining health care, to actually obtain an appointment with a particular provider, or for other reasons related to their own health care.”
At such times, HHS argues that tracking technologies on unauthenticated webpages could have access to PHI when the information is disclosed and that privacy breaches can occur.
HIPAA PLACES CONDITIONS ON TRACKING TECHNOLOGIES, BUT DOES NOT PREVENT THEM
A further distinction that HHS makes is that even when a visit to an Unauthenticated Public Webpage involves IIHI, although the HIPAA Privacy Rule is triggered, this does not mean that third party tracking technologies are prohibited. According to HHS it means that they merely need to be deployed “in a manner that complies with the HIPAA Rules.” The agency states that the Revised Bulletin is consistent with this position as well.
HHS notes that such compliance includes that “regulated entities can permissibly disclose PHI to third parties through tracking technologies by entering into business associate agreements with third-party tracking technology vendors or with vendors who can de-identify data before transferring it to tracking technology vendors.” Regulated entities can also “seek valid authorization from users.”
ADDITIONAL ARGUMENTS
Additional arguments made by HHS include that the HIPAA Privacy Rule provides broad protection, with the agency stating that “in defining IIHI, Congress consciously used the expansive terms “relate to” and “reasonable basis to believe” to ensure that covered entities would broadly protect information about past, present, or future health conditions; health care; or payment for health care that might be able to identify the individuals linked to those health care need.”
HHS also claims that disaggregation between IIHI and non-IIHI can be difficult due to the nature of tracking technologies when disclosing information to third-party vendors and for this reason “it may be prudent for regulated entities to prevent disclosures of non-IIHI if that is the only way to ensure that they are not disclosing PHI to third parties in violation of the Privacy Rule.”
According to an Order of the Court dated March 12, 2024, the AHA and co-plaintiffs must provide their opposition to the HHS motion by April 11, 2024.
Categories: DATA PROTECTION & PRIVACY
Leave a Reply