AHA sues HHS to stop OCR guidance on web trackers. This is super-inside-baseball HIPAA stuff, folks. And it has a chance of taking hold.
Here's the background: many websites use some type of technology to track user behavior on the website. There are tons of legitimate reasons why you would want to do this: If every visitor to one part of your website clicks the same link, or otherwise acts in a non-random way, you want to know it. For example, lets say you offer weight loss services and have a page with many different choices (exercise programs, diet counseling, Ozempic, psychedelics, etc.), and you have an equal number of staffers working to provide each choice. But you find out from tracking technology that 90% of your visitors all go to the Ozempic page, but nobody ever clicks on exercise. If you're running your business responsibly, you'll switch the exercise employees over to the Ozempic team. But you might never know that website visitors are behaving that way without a tracker.
One of the ways trackers work is by tracking the visitor's choices to the particular visitor, usually by the specific signature of the user's computer or other device that connected to the website (for example, the user's cell phone or iPad). The company that provides the tracking technology also uses the information they gather to fine-tune its algorithms for their healthcare provider customer, but also uses the information for other purposes, such as the marketing services it sells to other customers.
Here's the problem: the device ID isn't necessarily the person who owns it (multiple people could have access to and use the same iPad), and the behavior of the person doesn't necessarily tell you anything specific about the person (I could be looking at information about a particular disease not because I have it, but because I know someone who does and I'm curious). However, it's still a pretty good proxy. If I go to a weight-loss website, I'm probably looking to lose weight; if I go to a diabetes website, the odds are pretty good that I'm a diabetic. And if my computer goes to the website, it's probably because it's me that's operating it. Thus, you can deduce, not with certainty but with some high level of likelihood, that if my cell phone accesses a website for X disease, I have that disease. HOWEVER, is data that's simply indicative of health status PHI? How tight does the connection need to be?
And therein lies the problem -- the information derived from the tracking technology COULD be PHI, and letting the technology company have access to that information would make the vendor a business associate. The vendors don't want to be restricted in how they use that data.
OCR has declared (in a December 2022 bulletin) that providers that use tracking technology must have BAAs with those vendors, but those vendors won't sign BAAs. The end result is that big hospital systems are prevented from using a technology that can streamline their processes, save them money, and allow them to better serve their patients. Hence the AHA's actions.
This will be interesting.
(11/3/23/)
UPDATE 11/9/23: Interesting press release from AHA and other hospital associations relating to its suit against HHS relating to web trackers. According to Bloomberg Law (subscription may be required), HHS uses the same tracking technology on its websites that HHS guidance warns hospitals about as being potentially violative of HIPAA. Interestingly, I also learned in that article that hundreds of class-action lawsuits have already been filed against hospitals for using the technology in violation of HIPAA.
This isn't the end of the story, of course: HHS isn't a HIPAA-covered entity (although Medicare and Medicaid are), and people searching the HHS website usually aren't looking for specific medical conditions or providing the same type of information as a visitor to a hospital site might. However, from a general privacy standpoint, it's an interesting point of hypocrisy.