In the Headlines
May 2, 2024

How Updated Third-Party Tech Guidance Affects Compliance Efforts


Data privacy attorneys Christopher Iaquinto and Beth Pitman were interviewed by HealthITSecurity about updated guidance on online tracking technologies issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The guidance, released in March 2024, sought to clarify a 2022 OCR bulletin explaining what constitutes an impermissible disclosure of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) on websites that utilize third-party tracking technologies, such as pixels. In the update, OCR largely reiterated its previous position — namely, that individually identifiable health information (IIHI) collected on a covered entity's website is generally PHI. Industry organizations and professionals say this suggests that healthcare providers have to figure out the intent of each website visitor to determine what constitutes a disclosure of PHI.

Mr. Iaquinto characterized this position as "kind of an impossible standard," but added that while litigation plays out, providers have time to learn more about how their systems function and establish a workable solution.

"It's worth some time and effort for folks to understand exactly how their websites are operating," he explained. "From there, the next level is to understand what types of data are being transmitted in connection with those tools. Counsel can help with that, vendors can help with that, but at the very least, it's something that needs to be paid attention to in this climate."

Similarly, Ms. Pitman described the guidance as "a double-edged issue" because of uncertainty regarding enforcement, recommending that covered entities conduct diligence as part of their security risk assessments to identify how and where PHI is being transmitted and maintained by vendors.

"One of the other options that was suggested by HHS is to have a compliant data room vendor who can then clean the data prior to sending it off to the tracking technology," she said. "There are vendors that currently do that, but they are expensive, so it is not something that would be widely available to the average healthcare provider."

READ: How Updated Third-Party Tech Guidance Affects Compliance Efforts

Related News and Headlines