chevron-down Created with Sketch Beta.
March 29, 2024

HHS OCR Updates Guidance on Third-Party Web Trackers

On March 18, 2024, the Department of Health and Human Services Office for Civil Rights (HHS OCR) published an update to its guidance bulletin on tracking technologies [1] and advised that some visits to unauthenticated websites [2] involve a disclosure of PHI.  While HHS OCR intended to provide clarity for both regulated entities and the public, the updated guidance is causing concern.  

Based on the guidance, HHS OCR still maintains that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA rules.”  However, the updated guidance also addresses tracking technologies on unauthenticated websites which may or may not have access to PHI.  

For these websites, HIPAA rules may apply, depending on why an individual visited that website.  HHS OCR provides the following guidance: “visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor[s] if the visit is not related to an individual’s past, present, or future health, health care, or payment for health care.”

[1] HHS OCR defines tracking technology as “a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app.”

[2] HHS OCR defines unauthenticated websites as “webpages that do not require users to log in before they are able to access the webpage.”

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.