Transcript
This transcript has been edited and refined for clarity.
Marianne McGee: I'm Marianne Kolbasuk McGee, executive editor at Information Security Media Group. Today, I'm speaking with Privacy Attorney Iliana Peters of the law firm Polsinelli. We're going to be discussing the significance of a recent federal court ruling involving HIPAA guidance that was issued by the U.S. Department of Health and Human Services in December of 2022 and then updated in March 2024 warning about the use of online trackers on healthcare websites. The Texas Federal Court ruled in June that HHS's Office for Civil Rights overstepped its authority in guidance that warned HIPAA-regulated entities of potential HIPAA violations involving the use of tracking tools when the online technology connects to an individual's IP address with a visit to an unauthenticated public webpage addressing specific health conditions or healthcare providers. So Ileana, as we know, many healthcare entities use online tracking tools on their websites, and they have for many years. For our audience, very briefly describe what is at the center of this online tracking controversy involving HIPAA-covered entities and business associates?
Iliana Peters: A very crucial question Marianne, because there is still a lot of confusion about that specific question. A lot of folks didn't recognize the fact that since the beginning of the implementation of the HIPAA rules, and if you think back to the late 90s and early 2000s when these rules were originally published, we had three rules - the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Enforcement Rule, along with the transactions and code sets - the underlying electronic transactions that gave rise to HIPAA jurisdiction. Even back when the original HIPAA Privacy Rule was published in 2000, before modifications in 2002, the definition of protected health information for purposes of de-identification of protected health information has always included identifiers such as IP address, email address or phone number. So, these are individually identifiable health information, which is the overarching category of information that gives rise to protected health information. In other words, PHI is a subset of IIHI, which is health information that is identifiable to an individual and has always included certain identifiers, including an IP address. There has been a lot of conversations more recently, given all of these website-tracking activities, around the way the internet works, analytics tools and other tools that we use on websites and the fact that they ingest IP address along with other identifying information - in many cases, related to an individual user of that website. Obviously, this is not just an HHS issue. This is a state AG issue. Several state AGs have taken a pretty strenuous approach in this respect, and there's a lot of class action litigation ongoing about these issues as well. In other words, if an IP address in combination with other identifiers for an individual is private, how do we protect it, both from a HIPAA standpoint and from a state law standpoint? So, the underlying question is, do we consider things like IP address either alone or in combination with other information about an individual to be private? If yes, what do we need to do to protect that information? The HIPAA guidance that HHS OCR released two years ago says very definitively, yes, it is private, and yes, it is protected by HIPAA. So, that's where we ended up. Just to note that, for example, state AG opinions have also said the same thing. So, this is not just a federal issue. There are state issues involved here too.
McGee: So, Iliana, with that said, what is most significant about this federal court ruling and why?
Peters: The ruling itself is quite limited. So, if you recall the HHS guidance that we're talking about in this respect, which is the website-tracking guidance, it talks a lot about interactions of individuals on unauthenticated websites, and those are essentially public-facing websites that anyone in the world arguably, depending on what controls an entity may have in place but generally, can visit for any purpose. You can visit an unauthenticated public-facing website because you made a mistake and typed in something wrong on Google search, and you're looking for a different entity. You could be a researcher. You could be Mary McGee doing research for a story on a particular entity. You could be a donor. You could be a potential employee. You could also be a patient or a family member of a patient. So, a lot of folks visit these public-facing websites for a wide variety of reasons. And it's not always clear who is a patient, who is a family member of a patient or an employer of a patient, and who is not, which would arguably constitute protected health information, given the definition in the HIPAA Privacy Rule. And so again, what we're talking about here in this ruling is not authenticated websites. We are not talking about situations in which there is absolutely for sure a patient, a family member of a patient or an employer of a patient visiting a secure area of an enterprise because they're interacting with a medical record or paying a bill or looking at insurance issues or claims. This is not what is dealt with in this ruling. This ruling is limited to those public-facing websites and is limited to a user's IP address and the mere fact that they visited a public-facing website that may be about health conditions. So again, this is not a ruling that talks about additional information in addition to that IP address. It is simply about the fact that an individual user's IP address along with the fact that they visited a public-facing website that may contain information about a particular health condition is not enough to constitute individually identifiable health information, and thus protected health information under HIPAA. So again, very limited to HIPAA, very limited to just an IP address, and the fact that that IP address visited a public-facing website. Because again, the judge was making the point that we don't know why that particular individual is visiting that website. They could be a researcher, they could be a donor or they could be a potential employee or an employer. Lots and lots of reasons why someone may visit a public-facing website. It doesn't necessarily mean that they are a patient, a family member of a patient or an employer of a patient.
McGee: So Iliana, HHS OCR, on its website, has posted a note on this online-tracking guidance, acknowledging the court's June 20th ruling and saying that the agency is evaluating next steps in light of the order. So, what do you think will come next, and what's your advice to covered entities and business associates about the use of web trackers based on this ruling at this point?
Peters: Yeah again, great question Marianne. That is the practical takeaway here. How do we move forward? It is likely what HHS will do here, similarly with what it did to the patient access case out of the same circuit. We'll see some kind of rulemaking in the future on this - that's the most likely course that HHS will take. It's likely given the limited nature of the ruling that HHS may not appeal this, although it's certainly possible. So, we'll need to see. But, with that other case, the ruling was much more substantial in terms of how the rules are interpreted and created much more confusion in the industry, and HHS chose not to appeal that ruling and chose to go the rulemaking route instead. So, I can see that happening again here. As a result, we are sort of left with this particular opinion from a practical perspective in terms of how to move forward with the guidance. As such, it's important for regulated entities to understand that this changes very little in the guidance. In other words, yes, we can be less concerned about users visiting public-facing websites, but the vast majority of activities on these public-facing websites aren't simply a visit to the website, and the information that is shared with a third-party vendor isn't just IP addresses and the website address. A lots of other things are being done on these websites and with the tools. Those activities are still arguably at risk if you do not have a HIPAA business associate agreement in place or a HIPAA authorization, which in this circumstance is pretty impossible to get for every single user. So again, we're still left in a place where the guidance indicates that we should have a HIPAA business associate agreement with any third-party tool provider who provides services to our website. Similarly, as I mentioned earlier, the state AGs, or at least some of the state AGs, have taken a very aggressive approach here as well and would arguably take the same approach. In other words, if you don't have a business associate agreement, you would need a data processing agreement of some kind to protect the data that's shared with that third-party service provider. So again, it's such a limited ruling that it's likely not to change our approach in a substantive way in the vast majority of circumstances. And I'll note that the Chevron deference was referenced by the court, but played no role in this ruling. In other words, even though we have some additional Supreme Court cases that have come out since this ruling, I'm not sure they're going to play a large part in this guidance moving forward. So, we are still sort of left in the same place with the guidance itself, as well as with other obligations under other state and federal laws, such as the Video Privacy Protection Act, COPPA and wiretapping statutes - all of those other requirements that come into play here with regard to the tools we have deployed on websites.
McGee: Iliana, we've seen quite a few large covered entities in the last couple of years report large HIPAA breaches involving their previous use of online trackers. How does this court ruling affect those previously reported HIPAA breaches involving the use of online trackers in the past? Does it have any relevance to this and are those reported incidents still potentially considered HIPAA breaches despite this court ruling and why?
Peters: That is the next logical question, and the short answer is, No! I do not think they impact the reporting of those breaches or HHS's investigation of those breaches. In my experience with my clients, OCR's investigations on these issues are focused on authenticated websites. So, those are websites that a particular patient or their representative or family member is logging into to accomplish a particular and absolutely health specific purpose, that is, they are again checking an electronic medical record, coordinating through a patient portal, paying bills, checking claims, etc. Those are all absolutely still at issue, additionally to the extent a particular unauthenticated website has additional functionality like making an appointment or finding a doctor in a particular location using your geolocation information or interacting with a translation tool that collects additional data. Those are also arguably still at issue, and in my experience, those are the issues that OCR is concentrating on in its investigation. To the extent, a tool is an analytics tool that collects very limited information or may not be specific to additional activities. OCR may be less interested, and those are not the cases that arguably have been reported through OCR breach portal. So again, I don't think this changes much from an enforcement perspective, either from an HHS point of view or from a state AG point of view, and certainly not from a plaintiff's class action point of view.
McGee: Finally, Iliana, any other suggestions for covered entities and business associates involved in the use of online trackers or the significance of this ruling in terms of what they should be looking at if they keep using these online trackers?
Peters: It's a great question Marianne, because this kind of takes us back to the beginning of our conversation. The discussion about tracking is a little bit confusing for people, because these tools do a lot of different things. They have a lot of functionality for a lot of different reasons and are important to how regulated entities talk about their mission, reach patients, help patients get information in the language of their choice, make appointments, coordinate with different types of physicians, and even protect the security of the individuals that are using their website from a data security perspective. So, this ruling doesn't, in my opinion, get us where we need to go from a policy perspective, because there is still a significant amount of work that needs to be done on the OCR policy position here. In other words, there are a lot of functions on these public-facing websites that need to occur, arguably, for patients, family members, donors, employees, all of those important people to interact in a necessary and very appropriate way with those HIPAA-regulated entities. And that is being stifled because of this guidance. In fact, there is other guidance from HHS that contradicts this guidance arguably, and there's been no reconciliation of that. It's important to recognize that while this particular ruling highlighted the issue and certainly made a point with regard to whether or not this information is private as well as at risk, it still doesn't get us, in my opinion, where we need to go, and we do still need to work closely with our vendors as regulated entities or with our clients if we are vendors, as well as with the regulators at a state and federal level to figure out the best way to move forward in this space, given all of the necessary activities that occur on public-facing websites.
McGee: Thank you so much, Iliana. I've been speaking to Iliana Peters. I'm Marianne Kolbasuk McGee of Information Security Media Group. Thanks for joining us.