Court’s Web Tracker Ruling: What HIPAA Entities Should Know – Source: www.databreachtoday.com

Healthcare groups should consider several key points about a recent Texas federal court ruling and its impact on the use of online tracker technology on the healthcare websites of HIPAA-regulated organizations, said privacy attorney Iliana Peters of the law firm Polsinelli.

According to Peters, a recent Texas federal court ruling that says the Department of Health and Human Services overstepped its authority in specific provisions of HIPAA guidance involving the use of online tracking tools on healthcare websites is very narrow.

The court ruled that the HHS Office for Civil Rights was wrong when it said that tracking technology that captures the IP address of a user’s device and matches it with a visit to a web page that addresses specific health conditions or lists healthcare providers “is a sufficient combination of information to constitute individually identifiable health information” (see: Court: HHS Overstepped HIPAA Authority in Web Tracking Guide).

“The proscribed combination fails to improve current privacy protections while jeopardizing the dissemination of important healthcare information to the masses,” the court said.

HHS OCR issued the guidance in December 2022 and updated it in March. Since the June 20 ruling, HHS OCR added a note to the guidance, saying HHS is “evaluating its next steps” in light of the court’s decision.

“It’s really important for regulated entities to understand that this changes very little in the guidance. In other words, yes, we can be less concerned about users visiting public-facing websites,” Peters said, “but the vast majority of activities on these public-facing websites aren’t simply a visit to the website, and the information that is shared with a third-party vendor isn’t just IP addresses and the website address. Lots of other things are being done on these websites.”

“It’s such a limited ruling that it’s likely not to change our approach in a really substantive way in the vast majority of circumstances,” Peters said.

In this audio interview with Information Security Media Group (see audio link below photo), Peters also discussed:

• HIPAA considerations involving public-facing unauthenticated websites vs. authenticated websites, such as patient portals;
• State and federal regulatory issues involving the privacy of IP addresses and other identifiers;
• Why the recent Texas federal court ruling isn’t likely to affect previously reported HIPAA breaches involving the use of online tracking technologies on healthcare websites.

Peters is a Polsinelli law firm shareholder and an attorney in its national healthcare operations practice. She previously spent more than a decade at HHS OCR and served as the acting deputy director of health information privacy and the senior adviser for HIPAA compliance and enforcement. Before joining the OCR team in Washington, Peters worked as an investigator in OCR’s Dallas regional office.