We’ve covered a variety of topics related to this guidance including, a general overview of the guidance, impacts to the MarTech stack, the use of Pixels for Tracking purposes, and web & digital analytics platforms. On March 18, 2024, updated guidance was released in an attempt to further clarify the intended message from HHS.
Does it clarify much? Not really. In fact, it may raise even more questions, unfortunately.
For those of you hoping for an official policy document or an exhaustive list of Q&As that provides clearer direction, you’ll be sorely disappointed. From our review, the updated guidance appears to be a modest editorial pass with some minor adjustments and other complete reversals of language. Still, it’s another in a series of tea leaves that we need to read as we attempt to interpret their regulatory intent.
There are a few updates that seem to be related to the lawsuit from AHA, Texas Hospital Association and others from 2023. And the new guidance removes some of the more problematic internal contradictions from the original guidance and tones down some of the less believable statements.
To incorporate some recognition of reality, for example, the following statement has been changed
from:
- “… when a regulated entity collects the individual’s IIHI through its website or mobile app…it is indicative that the individual has received or will receive health care services or benefits from the covered entity… and thus relates to the individual’s past, present, or future health or health care or payment for care.”
to:
- “But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”
You’re undoubtedly just as confused by this adjustment in language as you were by the original guidance release. The above changes amount to a complete reversal of viewpoint.
The updated HHS guidance continues by using “students doing research” as an example of what isn’t IIHI/PHI while other examples identify “health consumers engaging with content” as an example of what is IIHI/PHI.
We used to believe that if we didn’t know the reason a consumer was visiting a page, the fact that they were there did not constitute PHI. However, the change in December 2022 dictated that we must assume every website visitor was there in relation to current or future personal health needs, making that consumer’s information PHI. Now, the updated guidance acknowledges that consumers visit healthcare web pages for a variety of reasons, many not relating to healthcare needs current or future. Yet the guidance still fails to tell us how we translate that information into acceptable and unacceptable (or compliant and non-compliant) actions.
HHS also seems to realize that people became overly focused on IP address as an identifying attribute. IP Address has always been “on the list” but isn’t a very strong identifying attribute, thus very few digital marketers were treating it as PHI. The original guidance came as a shock to many of us as a result. The updated guidance refuses to back down on that position but has added stronger reminders that there are multiple identifiers, including “…an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, device IDs, or any unique identifying code.”
The updated guidance seems to give more attention to the information an app or a page has vs. what information is sent to a third party through tracking technologies. This intersects with a statement added to the end of the updated guidance stating they’re prioritizing the HIPAA security rule for enforcement actions. The point? You need to first determine what information exists and its classification – is it IIHI or PHI? Then make sure that data is secured properly and not shared inappropriately. For example, a mobile app might have biometric data which then needs to be secured and not sent to Facebook.
An addition we were excited to see is a validation that it is acceptable to “…de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.” This is the strategy we’ve already employed with Geonetric Privacy Filter for GA4.
In the end, this updated guidance changes very little in terms of the guidance or the clarity required to implement it. We hope to see additional information throughout this year which may help HIPAA regulated entities implement mitigation strategies with greater confidence than is possible today.
Interpretations of the December HIPAA guidance vary widely and there is no single agreed standard for compliance. Every organization should seek to establish its own understanding of what is and isn’t acceptable given HIPAA rules today and likely redefinition and expansion of privacy laws inside and outside of healthcare in the future.
I’m not a lawyer. Geonetric is not a law firm. I’m sharing my insights and advice but nothing that I share here should be considered legal advice.