Lipstick on a Pig: OCR’s Cosmetic Revisions to Guidance on Tracking Technology in Healthcare Fail to Address Fundamental Issues | BakerHostetler


When the U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) issued its guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” on Dec. 1, 2022 Original Guidance), it was widely regarded (outside the plaintiffs’ class action bar) as a clumsy foray into technology of which the regulator had insufficient practical understanding. While much of the Original Guidance appeared to be written by someone who has never used the Internet, other parts seemed written by someone attempting to rewrite HIPAA without having to go through the pain and process of lawful regulatory rulemaking procedures.

Enter American Hospital Association, et al. v. Melanie Rainier, et al., filed on Nov. 2, 2023, in the Northern District of Texas. In that suit, the American Hospital Association (AHA), along with the Texas Hospital Association and HIPAA-covered entities Texas Health Resources and United Regional Health Care System, sued the director of HHS OCR, Melanie Fontes Rainer, and Secretary of HHS Xavier Bacerra, seeking “(1) declaratory judgment that IP addresses are not considered individually identifiable health information under statutory and regulatory definitions, [and] (2) a permanent freeze on OCR’s enforcement of this rule.”[1]

In February, OCR filed a motion to extend briefing on the cross motion for summary judgment, indicating it would be issuing revised guidance that addressed many of the issues the lawsuit was meant to address. This new guidance was issued, as promised, on March 18, 2024 (Revised Guidance). However, the Revised Guidance accomplishes next to nothing, other than wiping a bit of egg off OCR’s face without addressing the real issues raised by the American Hospital Association (AHA) and the healthcare industry as a whole.

On the specific issue of whether an IP address of a device accessing a covered entity’s website is individually identifiable health information (IIHI) – arguably the most impactful, disruptive and overreaching portion of the Original Guidance – OCR holds strong. The Revised Guidance fails to address the fact that an IP address belongs to a device (not an individual) and changes routinely, making it less likely for an IP address to be traced back to a particular individual. Instead, OCR removed this statement:

[W]hen a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.

and replaced it with a slightly softer, but in effect the same, statement:

But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.

While that revision appears to head in the right direction, the Revised Guidance presents a number of examples of when an IP address is and is not protected health information (PHI) that have the effect of restating OCR’s position in the Original Guidance. The first example of when an IP address is not PHI is an extraordinarily obvious situation about which there was no confusion: when someone is on a hospital’s website looking for a job. However, OCR then juxtaposes a visit to a hospital’s webpage listing oncology services, one of which OCR says is PHI and one of which it says is not:

Further, visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendors if the visit is not related to an individual’s past, present, or future health, health care, or payment for health care.

  • For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
  • However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.

These examples say, in new words, exactly what the Original Guidance said. But now OCR is expressly creating a standard that requires covered entities (and the tracking technology vendors) to read the minds of visitors to correctly guess a visitor’s purpose for visiting the website to determine whether tracking technologies can be deployed on the page for that particular visitor. OCR is setting a standard for determining when information is PHI that goes impermissibly beyond the scope of HIPAA.

The application of this standard outside the website context reveals how significantly this deviates from current HIPAA application. For instance, imagine a gynecologist has a child who plays soccer. The parent of another child on the team texts the gynecologist’s personal cell phone to ask about the doctor’s views on emerging cervical cancer detection research. The gynecologist does not know that the other parent has a history of abnormal cervical exams and that the purpose of approaching the doctor is to identify treatment options. The doctor responds in text, or perhaps never responds. Under the Revised Guidance, the text is PHI and the doctor’s personal text messages are now regulated by HHS OCR solely because of the other parent’s subjective purpose. This standard cannot be reasonably applied.

The subtle inclusion of the qualifier “to the extent that the information is both identifiable and related to the individual’s health or future health care” is the most significant departure from the per se identifiability conclusion stated in the Original Guidance. However, there is no indication that OCR intends to accept that an IP address does not, in fact, identify a specific person, nor that no one but the visitor can know if they are seeking a second opinion for themselves or simply educating themselves about a loved one’s condition.

For those hoping that the Revised Guidance would be a turning point for OCR – an opportunity to hone the blade and attack with more precision those instances where actual identifiers (like name, address, email, etc.) are being passed to third parties with information that concretely identifies them as patients – OCR did not come through.

At best, the Revised Guidance can potentially be used as evidence that whether a covered entity’s use of website technology constitutes a HIPAA violation is a heavily factual, user-by-user determination. Thus, it could be argued, OCR would be overreaching in assuming any violation without having the facts of specific website visitors. This scenario could prevent OCR from establishing an ongoing or repeated violation that would otherwise be worthy of a heightened monetary penalty. It also may assist in defending class actions, as it helps undermine the commonality of class members’ use of covered entities’ websites. In our continued efforts to advocate for the healthcare industry, in January, BakerHostetler filed an amicus brief on behalf of 30 healthcare entities in support of the AHA’s motion for summary judgment in this matter. In the brief, we argued that HHS’ treatment of IP addresses as PHI was misguided, particularly because an IP address identifies a computer, not an individual. The Revised Guidance does not address this issue, which is critically important to our clients’ ability to provide an online place for patients and the community to obtain accurate and reliable healthcare information. It remains possible that the ruling on the cross motions for summary judgment will find that some personal identifier must also be present in order for website use information to be considered individually identifiable. We continue to support the AHA’s position and its efforts with the court to get the correct outcome on these issues.

[1] American Hospital Association, Case Explainer: American Hospital Association v. Rainer (last visited March 20, 2024),


Leave a Reply

Your email address will not be published. Required fields are marked *