HIPAA-regulated health care organizations should take a cautious approach to their use of web-tracking technologies—known as pixels—in the wake of a federal judge’s ruling that HIPAA does not bar health care organizations from using those web trackers on their public-facing websites, attorneys warn.
In June, U.S. District Court Judge Mark Pittman granted a motion for summary judgment from the American Hospital Association (AHA) to vacate part of the HHS Office for Civil Rights’ (OCR’s) most recent guidance on the tracking technologies. Pittman ruled that OCR had unlawfully exceeded “HIPAA’s unambiguous text” by prohibiting covered entities (CEs) and business associates (BAs) from using web-tracking technologies under certain circumstances on their public web pages.[1]
But while this ruling might appear to free up health care organizations to digitally track website visitors with abandon, pixel use still carries multiple risks, said a group of BakerHostetler privacy attorneys.
“Tell your marketing department to settle down,” the BakerHostetler attorneys wrote. “The ruling is a win, but still a narrow one.”[2]
IIHI? Or Not?
OCR first issued guidance on web-tracking technologies in late 2022 following multiple reported breaches involving the technologies, which most often are provided by companies such as Meta (parent company of Facebook) and Alphabet (parent company of Google).[3]
In that original guidance, OCR said CEs and BAs are not permitted to use the technologies “in a manner that would result in impermissible disclosures of PHI [protected health information] to tracking technology vendors or any other violations of the HIPAA rules.”
In addition, the guidance said regulated organizations must ensure that all tracking technology vendors have signed a BA agreement “and that there is an applicable permission prior to a disclosure of PHI.”
AHA and its co-plaintiffs sued HHS in Texas over the guidance in November 2023.[4] In March, OCR issued a revised bulletin on web-tracking technologies, in which it reiterated strongly that CEs should avoid using those technologies in situations that could reveal PHI or risk violating HIPAA regulations.[5]
Pittman’s ruling emphasized that—while it’s possible to identify people via their IP address—it’s impossible to determine their motivation for visiting a specific web page. Both AHA and Pittman referenced the “Proscribed Combination,” which was AHA’s term for OCR’s ban on web trackers that link an individual’s IP address to a public web page addressing specific health concerns or specific providers.
Without knowing the motivation for someone’s webpage visit, Pittman said, “the Proscribed Combination cannot become IIHI [individually identifiable health information] as unambiguously defined” in HIPAA.
Based on the ruling, OCR “cannot claim that noncompliance with [OCR’s] stance on the Proscribed Combination is a basis for enforcement,” the BakerHostetler attorneys wrote. Entities that had avoided tracking technologies in the wake of OCR’s guidance might find that “a change in strategy and tone may be in order,” they said. However, that might only apply to the Proscribed Combination, they added.
Pittman’s ruling affects only public-facing web pages, where users do not need to log in to view content. Other parts of OCR’s pixel guidance remain in effect.