Amidst Legal Fight, HHS Revises Online Tracking Guidance

April 16, 2024

On March 18, 2024, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued revised guidance on the use of tracking technologies by HIPAA-covered entities and business associates. Even before these updates, the original bulletin was already controversial in its broad definition of protected health information (PHI) in online settings and has been the subject of litigation spearheaded by the American Hospital Association.

Broad Definition of PHI in the Online Setting Remains

The definition of protected health information (PHI) in the online setting continues to be interpreted broadly by OCR. This is critical for covered entities to keep in mind when assessing their HIPAA compliance obligations and determining the need for business associate agreements (BAAs) with tracking technology vendors. For example, the updated guidance makes clear that “fingerprints, network location, geolocation, device ID, [and] advertising ID” are all pieces of information that can potentially qualify as PHI if related to past, present or future health care or seeking of health care services. Of course, this list is not exclusive—many more forms of data collected through tracking technology deployed on covered entities’ mobile apps and websites constitute PHI as well.

The updated guidance also clarifies that using tracking technology to collect information related to seeking health care services (such as looking at treatment options or using a symptom-checker tool) may trigger the need for a business associate agreement with the tracking technology vendor.

Ultimately the guidance, even with the latest revisions, does little to help covered entities and business associates differentiate between PHI and non-PHI collected online, which raises significant questions about the appropriate use of online tracking technologies.

Focus on “Impermissible Disclosures”

The updated guidance highlights the importance of avoiding “impermissible disclosures.” As the updated guidance states, “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors.” A disclosure is considered impermissible if it does not align with one of the permitted disclosures outlined under HIPAA, such as through patient authorization or to a business associate with a business associate agreement.

Remember: HIPAA Only Applies to Covered Entities and Business Associates

The updated guidance also reiterates that HIPAA does not apply to “information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities . . . [including] health information that an individual enters into a mobile app offered by an entity that is not regulated by HIPAA.”


Covered entities and business associates should proactively evaluate their websites and mobile applications against HIPAA requirements, taking into consideration this latest guidance. If you have questions about privacy or data protection compliance, we invite you to contact us for more information.