Tracking technologies and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most significant federal privacy laws in the US. First passed in the 1990s, HIPAA has been amended several times and re-interpreted by courts and regulators to apply to modern digital technology.

HIPAA regulates how covered healthcare entities disclose health-related data to “business associates”, which can include using cookies and pixels to share information with advertising companies like Meta and Google.

But HIPAA-covered entities have received mixed messages about tracking in recent years. Here’s a look at how HIPAA has evolved – and why it’s no longer the only privacy consideration for companies operating in the health sector.

The Health Information Technology for Economic and Clinical Health (HITECH) Act

In February 2009, the HITECH Act was enacted as part of the American Recovery and Reinvestment Act. HITECH strengthened HIPAA by introducing the Breach Notification Rule, increasing penalties for non-compliance, and extending certain HIPAA requirements to business associates.

The HIPAA Safe Harbor Law amended the HITECH Act in January 2021, requiring the Department of Health and Human Services (HHS) to consider recognized cybersecurity practices of covered entities and business associates when determining penalties for HIPAA violations.

HIPAA tracking guidance

In December 2022, the Office for Civil Rights (OCR) issued a bulletin addressing the use of online tracking technologies by HIPAA-covered entities and their business associates.

The guidance emphasized that using such technologies could lead to impermissible disclosures of protected health information (PHI) to third-party vendors. The OCR took a broad view of HIPAA’s scope and a strict interpretation of how health entities should handle tracking.

In March 2024, responding to industry feedback and possible legal action, the OCR updated its guidance. The new guidance clarified that impermissible disclosures would only occur if a website visitor intended to seek healthcare services within HIPAA’s scope.

However, the OCR’s guidance remained controversial, with some healthcare providers arguing that it would be impractical to implement without stopping tracking altogether.

Federal court ruling challenges OCR guidance

In the June 2024 case American Hospital Association v Becerra, the U.S. District Court for the Northern District of Texas ruled that OCR had exceeded its authority with online tracking guidance.

The court vacated the guidance, stating that OCR’s interpretation of HIPAA in this context was overly expansive. The OCR has since removed the HIPAA guidance from its website and has yet to issue a new version reflecting the court’s concerns.

As such, it remains unclear how businesses should interpret HIPAA in the context of tracking and advertising technologies.

New state privacy laws

Beyond HIPAA, the US privacy landscape is changing fast. Over one-third of states have enacted comprehensive privacy laws in recent years, impacting companies in and outside of the health sector.

While state privacy laws tend to carve out protected health information processed under HIPAA, most class health-related information “sensitive data”, and require businesses to obtain opt-in consent before processing such data.

Furthermore, several states, including Washington and Nevada, have passed health-specific privacy laws with strict rules on collecting, selling, and sharing health information.

The uncertainty around HIPAA’s application to tracking technology is one small piece of the US privacy puzzle. Recognizing the compliance gap created by HIPAA’s relatively narrow application and ambiguous requirements, states are passing privacy laws that provide broader protection for consumers’ health privacy.