Track Me Not — The New HIPAA Healthcare Website Guidance
4 min readA Simple Breakdown of the New HIPAA Guidance
The United States Office of Civil Rights (OCR) released guidance in December 2022 related to personal health information and healthcare-related websites. The OCR sought to clarify how healthcare organizations should protect individuals’ health privacy online. However, the guidance was less than perfectly clear. The burden of understanding it has only added to healthcare organizations’ anxiety about privacy.
Interpreting the Guidance
As a company working in the digital space, we must interpret new HIPAA rules, just like any other organization. We are sharing our understanding of the OCR guidance to help you get a better grasp of what it all means. Just like us, you’ll need to decide how to respond.
Not Legal Advice
We are a user experience firm (and privacy certainly affects user experience). We are not lawyers. We cannot and do not offer legal counsel. Nor are we offering specific advice on how to make your website HIPAA compliant or how to perfectly conform with the new rules. You and your legal team must do that. We can, however, help you consider the core issues.
Privacy vs. Tracking
Healthcare organizations value patient privacy by restricting access to patient information. These same organizations want to ensure their websites and apps serve users well. To do that marketing teams must understand site usage, which often means user tracking. And you guessed it, that can lead to privacy concerns.
Tracking Data
The new guidance identifies user tracking as a primary privacy risk. Nearly all hospital and healthcare marketing teams use tracking programs and scripts (e.g., Google Analytics, Meta Ads) to analyze website traffic, plan marketing campaigns, and gauge site performance.
Tracking scripts placed on websites collect a variety of different types of data to help marketing teams understand who uses their site, how people find the site, and how they interact with the site. But tracking can run afoul of privacy rules. Some tracking scripts can potentially collect Individually Identifiable Health Information (IIHI).
What Constitutes IIHI
IIHI is data about an individual’s past, present, or future health care information. This information can include:
- Physical or Mental Health or Condition
- Provision of Health Care to That Individual
- Payment for Health Care
- A Person’s Medical Record Number, Home, or Email Address
- Dates of Appointments a Person has Scheduled
- IP Address or Geographic Location
- Medical Device IDs or Any Unique Identifying Code
Example
The HIPAA Journal, a leading provider of news, updates, and independent advice for HIPAA compliance, uses, “Mr. Jones has a broken leg,” as an example of IIHI. A real person has been connected to a real bit of health information.
When IIHI is Protected by HIPAA
HIPAA rules apply to IIHI data if that data is stored, transferred or in the case of tracking scripts, sent to a third-party technology vendor, an entity outside of a patient or healthcare provider (e.g., Google). When this occurs, HIPAA considers that data to be Personal Health Information (PHI), which is protected by HIPAA.
For example, if a tracking script on a hospital or other healthcare website stores information about Mr. Jones and his broken leg, then that information is now PHI.
Problems of Interpretation
Most individually identifiable health information is straightforward. Pages with login screens, search field, or forms are generally regarded as IIHI and organizations are generally discouraged from using tacking scripts on those pages. The same can be said for pages with specific treatments or conditions, since inferences could be made about users who visit them. This example alone rules out most web healthcare pages from having tracking scripts.
But what about other pieces of data, like IP addresses? It’s not completely clear they can unambiguously identify a real person. But IP addresses are typically part of tracking data. This example is only part of the larger question on what is and is not considered IIHI.
Some organizations have taken draconian steps to cease all use of tracking scripts entirely. Other organizations have considered “middleware” solutions, software that anonymizes all data between a healthcare organization and third-party technology vendor.
That’s where interpretation and risk tolerance come in. You and your legal team must weigh in on your organization’s stance regarding the new OCR guidance.
Evolving Guidance
These rules are still new and evolving. Many nuances are not addressed by the guidance and many grey areas persist. Legal challenges and resulting court cases may offer greater clarity in the future. This may lead to adjusted OCR guidance. Keep your eyes and ears open. And always consult a legal team when making decisions around gathering data from your website.