The OCR’s revised rule on online tracking tools has again been met with pushback from entities. Here’s what you need to know about this saga.
Since 2022, a debate has raged over the use of online tracking tools by HIPAA-covered entities and business associates. On one side is the HHS’ Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA. On the other is the American Hospital Association (AHA), which has filed a lawsuit challenging the OCR’s rules.
Now, following a revised OCR bulletin on the use of third-party tracking tools, the debate has taken center stage once again.
Wondering what the dispute is about? In this blog, we’ll cover what you need to know.
The OCR’s Rules on Online Tracking Tools
It began in December 2022 when the OCR issued a bulletin on the use of third-party online tracking tools. Covered entities, the agency said, would not be permitted to use these tools “in a manner that would result in impermissible disclosures of ePHI.”
It warned that all healthcare entities that collect and transmit individually identifiable health information (IIHI) would be at risk of violating the HIPAA.
The ruling defined IIHI as patient-specific health information collected not just from patient portals but also from unauthenticated pages. So, if a user were to look up a healthcare provider’s services and a tool captured their IP address, it would count as an unauthorized disclosure.
Under the new rule issued in March 2024, the OCR made some revisions.
Most notably, it clarified that not all information would constitute PHI but only data related to an individual’s health, healthcare, or healthcare payments.
It illustrated this with an example: Information sent to a tracking tool about a student who visits an oncology page for research wouldn’t count, as it has nothing to do with the student’s health. However, if the information shared is of an individual seeking an opinion on treatment of cancer, it would be in violation of the HIPAA.
As many have pointed out, this makes the rule reliant on the intent of the individual using the website, which a covered entity has no means of ascertaining.
Why is the AHA Protesting?
As the OCR sent warnings to several covered entities for not following its guidance, the AHA challenged the original rule, arguing that it was “preventing providers from communicating vital health information to the communities they serve.”
Last October, the AHA sent a letter to the Senate Committee on Health, Education, Labor and Pensions saying the original rule could cause harm to patients. A month later, it filed a lawsuit against the HHS supported by 17 state health associations and 30 hospital systems.
More recently, it also took exception to the new rule, arguing in court that the changes “only confirm that the original bulletin was substantively and procedurally unlawful.”
“The court should put an end to this embarrassing saga of regulatory overreach and bar enforcement of HHS’ unlawful and unwise new rule,” it said on April 12.
Who Will Emerge on Top?
At this point, it’s hard to say which side has the upper hand over what is essentially a very complicated rule. It’s crucial to note that in the next few months, there may be further changes to the ruling in case of a reversal or any additional lawsuits.
But whoever comes out on top, one thing is clear — the need to protect ePHI cannot be understated. Allow us to explain:
The Bottom Line: Protecting ePHI is Important
Since it was first enacted, HIPAA requires all entities to use the appropriate safeguards to protect ePHI. This is crucial for healthcare providers as:
- It maintains a patient’s right to privacy
- It helps avoid hefty penalties
- It increases trust levels
- It helps provide more effective care
This ePHI can include any information about a patient stored or transmitted online — through an online medical form or intake form, for instance. This is why FormDR believes that the best way to protect ePHI and understand the needs of your patients is through our HIPAA-compliant forms.
