Ah, the internet—where you can search for everything from cat memes to the symptoms of a mysterious rash that definitely doesn’t mean you’re dying (probably). But what happens when hospitals and healthcare providers start tracking your online searches? Well, things can get a bit dicey, as the American Hospital Association (AHA) and the U.S. Department of Health and Human Services (HHS) found out the hard way. Welcome to the legal equivalent of a soap opera: When HIPAA Met the Internet.
A Quick Primer: What’s HIPAA Again?
Before we dive into the recent courtroom drama, let’s review the crucial information.
HIPAA, or the Health Insurance Portability and Accountability Act, is the law that keeps patients’ health information safe and private. For healthcare marketers and professionals, it’s the rulebook that ensures you’re handling sensitive data—like patient records and medical histories—with the care and confidentiality they deserve.
In simple terms, HIPAA is what keeps you from accidentally sharing someone’s medical details with the world, whether through a marketing campaign, a data breach, or just plain carelessness. That’s why you need to be extra careful about how you collect, store, and share patient information, especially in the age of digital marketing and online tracking.
So the premise is simple: while HIPAA might seem like a hassle at times, its purpose is to help you keep the patients’ trust intact and stay on the right side of the law.
But, as with any good drama, things get complicated when technology enters the picture. Enter the internet, where even your grandmother is now Googling her cholesterol levels and the best way to prune her roses (which, let’s face it, are both equally important).
The Plot Thickens: HHS OCR Tries to Keep Up with the Times
HHS, the agency responsible for enforcing HIPAA, decided it was time to update its approach for the digital age. After all, it’s 2024, and who’s got time for paper files and rotary phones?
To keep up, their Office for Civil Rights released new guidelines in an attempt to regulate how healthcare organizations use online tracking technologies, like cookies, under HIPAA rules.
Their idea was simple: if someone searches for a healthcare provider or health condition online, and a healthcare website tracks that information, then HIPAA rules should apply. Makes sense, right? Well, not so fast.
This, as it’ll turn out, problematic guidance has expanded the definition of what counts as protected health information (PHI) when users visit healthcare websites. It addressed the use of online tracking technologies on user-authenticated pages, unauthenticated webpages, and mobile apps.
Specifically, it stated that even if a person just visited an unauthenticated webpage and their IP address (or other identifying information) was collected, it could be considered as individually identifiable health information (IIHI) and thus protected under HIPAA.
Quick, what is an unauthenticated webpage?
An unauthenticated webpage is a webpage that can be accessed by anyone without requiring the user to log in, provide credentials, or authenticate their identity in any way. Basically, it’s your public website, including the homepage, blog posts, informational pages, and services pages.
This expanded definition of PHI/IIHI caused a lot of confusion and compliance challenges for healthcare organizations. Many weren’t sure if the information they collected from visitors to their public websites counted as IIHI, especially since such data wouldn’t normally be considered PHI under traditional HIPAA rules. This confusion led to lawsuits against healthcare entities, breach notifications, and investigations, with some lawsuits resulting in multi-million-dollar settlements.
“Please, Just Let Us Explain”
To try and remedy the situation, the HHS OCR subsequently released the updated guidance, clarifying its position on the unauthenticated webpages. The new document stated that the key to determining whether collected data qualifies as PHI depends completely on user intent.
For example: if a person ends up on your website reading about knee replacements because they want to understand how that works, you’re fine. However, if they have a problematic knee that could possibly need replacing, then it’s PHI and you’re in breach of HIPAA. Helpful, right?
The problem is: you don’t really know the true intent behind every search and visit, and you can’t really ban visitors who possibly need the services you offer. So, what now?
The Hospitals Fight Back: “This Isn’t What We Signed Up For!”
To say that the AHA (American Hospital Association) wasn’t thrilled is an understatement. They and other healthcare groups filed a lawsuit against HHS OCR, arguing that the guidance was overreaching, legally flawed, and harmful to patients.
They claimed that the guidance stretched the definition of IIHI too far by saying that just visiting a healthcare website and having your IP address tracked could link to your health information and fall under HIPAA. They also argued that the guidance was issued without proper legal procedures, like public notice and comment.
It’s one thing to keep patient data safe, but expecting providers to know the secret motives behind every patient’s online search was a bridge too far. After all, who among us hasn’t Googled something completely unrelated to ourselves—like trying to diagnose a friend’s symptoms or simply getting lost down a rabbit hole of medical curiosity, or, if you take it a bit too far, hypochondria?
The Court’s Verdict: HHS, You’ve Gone Too Far
In June 2024, a Texas federal judge ruled that a key part of the guidance issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) was unlawful.
The court ruled that HHS OCR had indeed overstepped its authority by expanding the definition of IIHI in this way. The judge said that just because someone visits a healthcare website doesn’t mean their IP address or browsing history should automatically be considered IIHI under HIPAA. However, the court didn’t invalidate the entire guidance—just the part about unauthenticated webpages. This means that the rules still apply to authenticated (password-protected) pages where people might enter sensitive health information.
While this ruling is a win for healthcare organizations, allowing you to use certain online tracking technologies without worrying that it automatically violates HIPAA, you still need to be cautious. There’s still a lot of ongoing litigation, and to avoid being dragged into one, you should carefully consider what types of tracking technologies you use and how you collect information online.
Panic-Induced Q&A: What Does This Mean for Healthcare Providers?
After a well-deserved sigh of relief, there’s still a lot healthcare providers need to consider in light of these recent events. Let’s move on to the actionable points, review the burning questions related to the HHS OCR’s attempt at updating guidelines, and explore best practices to ensure you maintain HIPAA compliance in the digital world.
How does the recent court ruling impact your use of online tracking technologies on healthcare websites?
The ruling means that collecting data like IP addresses from unauthenticated webpages is no longer automatically considered protected health information (PHI) under HIPAA. You have more flexibility using tracking technologies on public pages, but the ruling doesn’t change the rules for authenticated pages where sensitive information is involved.
What information from unauthenticated webpages could still be considered IIHI under HIPAA?
Generally, IP addresses and browsing history from unauthenticated pages aren’t considered IIHI under HIPAA. However, if combined with other identifiable health information or linked to sensitive data, it could still fall under HIPAA protections. To prevent this from happening, ensure all integrations of marketing tools with your PM/EHR systems are HIPAA-compliant.
What steps should you take to ensure our use of online tracking technologies remains HIPAA-compliant?
Ensure tracking tools on unauthenticated pages collect non-identifiable data, avoid gathering sensitive health information unnecessarily, and sign proper legal safeguards like Business Associate Agreements (BAAs) with vendors.
Review all existing contracts to ensure vendors comply with HIPAA standards and evaluate their data handling practices. Renegotiate terms or switch vendors if necessary to ensure compliance and avoid risks.
Additionally, limit the collection of identifiable health data where possible, apply strong data anonymization practices, clearly inform users about data collection, and provide opt-out options.
Finally, read the news! Stay updated on legal changes to adapt your practices as needed.
In Spite of Bureaucracy: Achieving Successful, HIPAA-Compliant Healthcare Marketing
Well, the good news is you won’t have to guess why your visitors are googling “Is it normal to sneeze 27 times in a row?” anytime soon. However, the need for caution and diligence remains critical, and the challenge to leverage powerful marketing tools while ensuring compliance with HIPAA regulations is still highly relevant.
SocialClimb’s comprehensive healthcare marketing platform offers a solution that makes this possible. With features like HIPAA-compliant automated survey distribution, real-time data analysis, and patient targeting, SocialClimb helps you maximize your marketing efforts without compromising patient privacy. By integrating these tools, you can effectively enhance patient engagement, improve satisfaction, and boost the ROI of your healthcare investments—all while staying on the right side of the law.