The OCR’s Guidance on HIPAA & Online Tracking Technologies Ruled Unlawful: What Does That Mean for Your Practice?

On June 20th, 2024, a federal judge ruled that the Department of Health & Human Services’ new guidance on HIPAA and the use of online tracking technologies was unlawful. For the past year and a half, healthcare providers, insurers, agencies, technology companies and more have been working to adapt to the new guidance, which has now been vacated. 

Below, we break down what that means for your organization. 

A Brief History of the OCR’s Guidance on Online Tracking Technologies

• Summer 2022 – The Markup breaks its landmark story revealing the improper use of Meta and Google Analytics tracking pixels by many large healthcare organizations. Many of these organizations were sending very personal details to Meta and Google, like the patient’s name, conditions and doctors they were scheduling with. 
• December 2022 – The Office of Civil Rights (OCR) released new guidance indicating that covered entities like hospitals or insurers could not send a user’s IP address or any unique identifier, like device or user ID, to an analytics platform unless it was HIPAA compliant and covered by a Business Associate Agreement.
• April 2023 – The OCR sent letters to 100 health systems notifying them about the new guidance.
• May 2023 – The American Hospital Association (AHA) appealed to congress to take action against the OCR’s guidance.
• November 2023 – The American Hospital Association (AHA) and others filed a lawsuit calling on the courts to bar enforcement of the OCR’s guidance.
• March 2024 – The OCR updated their guidance, offering further clarity, but making no concessions to its new standards. 
• June 2024 – The AHA won its lawsuit and a federal judge declared the new guidance unlawful.

What should you know now that the AHA has won their lawsuit against HHS?

While the OCR’s latest guidance is not currently enforceable, digital HIPAA compliance is still crucial for healthcare organizations, as well as the protection of patient privacy. We don’t yet know how the Department of Health & Human Services will respond to the courts’ decision, but we do know that HHS and the FTC are taking data collection and patient privacy very seriously. 

So are lawmakers across the nation, who are taking up the mantle of consumer and patient privacy with vigor. Many states have consumer privacy laws set to take effect in 2024, 2025 or 2026 after recent passage. 

Between emerging technologies and intensifying scrutiny, it’s more important than ever for healthcare organizations to educate themselves about policy impacting digital data collection and balancing patient privacy with marketing best practices. The AHA’s win may have bought some peace of mind for healthcare organizations, giving them more time to consider their data collection practices and implement new systems. But healthcare organizations will need to continue to consider how to make their marketing technology stack HIPAA compliant and get a BAA on file for each vendor. 

What should you do next?

Audit Your Digital Presence

Across your digital strategy, you’re likely using a lot of different tools and platforms. Now is the time to consider:

1. Are those tools collecting any data that merits additional protection, especially under HIPAA?
2. If you need to upgrade to a HIPAA-compliant tool, can you leverage that atmosphere to collect more data and create a stronger marketing strategy?
3. Do you have Business Associates Agreements on file with each of those tools that collect HIPAA-covered information?
4. Do you have Business Associates Agreements on file with any contractors or agencies that handle HIPAA-covered information?

Commit to Transparency

It’s past time to ensure that you’re transparent with patients about how you collect and utilize their data. Depending on what state you live in, it may even be a requirement due to a proliferation of new laws. 

• Review and update your privacy policy and/or terms of service.
• Consider opt-in cookie consent.
• Consider how you would provide a patient with their data, if asked, and how you might erase it, if asked.

Stay On Top of New Laws & Regulations

Many states are taking up and passing new laws similar to the CCPA and the GDPR. HHS continues to update its guidance. 

• Review new consumer privacy laws passed. 
• Review HHS’ new provisions requiring healthcare websites to meet WCAG 2.1 AA standards by May 2026 (for larger organizations) or May 2027 (for smaller organizations.) Be aware that these standards also apply to social media, email and in-person communication.
• Educate your compliance teams or legal counsel. Seek additional legal resources, if needed.

Invest in Forward-Thinking Practices & Technology

By investing in HIPAA-compliant tools and tracking technologies now, it will future-proof your organization when it comes to future state and federal laws and regulations. It may also provide the opportunity to collect richer and more connected data, helping your organization better understand ROI and invest its budget more effectively. 

For the longest time, we’ve reserved the vast majority of our marketing budgets for advertising and design, often neglecting to invest in the high-quality analytics that would help us improve our marketing and prove our value. Now is the time to consider carving out a part of your budget for more robust, HIPAA-compliant analytics and tracking.