US courts, regulators weigh in on online tracking in health care

Enacted around the time the general public started to access the internet, the Health Insurance Portability and Accountability Act is complex, and its reach is often misunderstood by companies.

Over the summer, in American Hospital Association v. Xavier Becerra, a federal court reined in HIPAA's reach by striking down parts of the U.S. Department of Health and Human Services' guidance related to third-party online tracking technologies on publicly available websites used to increase access to health information.

The definition of protected health information under HIPAA has generally included IP addresses and other device identifiers. However, lawmakers crafting HIPAA did not contemplate current technologies and digital platforms or the use of third-party tools to understand the effectiveness of websites.

HHS originally issued guidance on online tracking technologies in 2022, stating information about visitors to a public, unauthenticated website "is indicative that the individual has received or will receive health care services or benefits." Per the guidance, third-party tracking providers were considered business associates, requiring agreements with health care providers, and the definition of personal information was expanded to include an individual's IP address when they visited unauthenticated public websites, meaning websites that do not require logins.

The guidance was met with criticism, including from the American Hospital Association. In a 2023 letter, the association urged HHS to suspend the guidance, arguing it defined PHI too broadly and would impede access to credible health information. Instead of changing its position, HHS and the U.S. Federal Trade Commission sent warning letters to more than 100 hospitals.