Are You Violating HHS Tracking Technology Rules?

BACKGROUND: Recent developments in HIPAA compliance for healthcare websites have shifted with a significant court ruling in 2024. A federal court vacated the U.S. Department of Health and Human Services (HHS) guidance on online tracking technologies, which previously restricted the use of web analytics tools like Google Analytics or advertising pixels on healthcare websites.

This ruling has created a more permissive environment for healthcare providers and payors in terms of using online tracking technologies, if they ensure compliance with other HIPAA provisions. Regardless, it remains essential to stay informed about ongoing legal challenges and further regulatory guidance from HHS as this area of law continues to evolve.

UPDATES ON AHA LAWSUIT: In conjunction with the recent court decision to vacate the HIPAA tracking guidance, the American Hospital Association’s (AHA) lawsuit remains pivotal. The court’s ruling has reinforced AHA’s arguments that HHS exceeded its authority under HIPAA by enforcing strict limitations on the use of web-based tracking technologies. However, this does not fully exempt healthcare providers from ensuring HIPAA compliance, particularly in terms of safeguarding patient data when using third-party tools. For more details on the court’s ruling, visit the Holland & Hart Health Law Blog.

HERE'S WHAT YOU NEED TO KNOW.

THE PROBLEM: A violation occurs when a covered entity shares PHI data + health information with a non-HIPAA compliant destination (like Google Analytics or an ad pixel/platform).

DEFINITION OF A COVERED ENTITY AS PER HHS: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

WHAT IS AFFECTED BY THIS RULE? All third-party integrations to covered entity websites that collect PHI data (including IP addresses) and do not offer business associate agreements (BAAs). Here are a few examples:

Google Analytics or any other Customer Data Platform
Advertising Pixels (Meta, LinkedIn, TikTok, Google, etc.)
Embedded YouTube videos
Link shorteners (like Bitly, that store information)
QR code generators (that store information)
Visible health conditions in UTM codes (“campaign_bariatric-surgery”)
Website plug-ins that capture PHI and website activity (this may include interactive maps on provider directories)

TOP SOLUTION VENDORS: Given the recent vacating of the HHS guidance on tracking technologies, hospitals and healthcare providers still need to ensure HIPAA compliance when using third-party tools. Here are the top vendors that offer HIPAA-compliant solutions, addressing concerns around online tracking, data sharing, and patient privacy:

Tealium
Celebrus
Freshpaint
Piwik PRO

RECOMMENDATION: For hospitals needing to continue using third-party analytics and tracking technologies in compliance with HIPAA, Tealium and Piwik PRO stand out as the best options. Both offer strong privacy controls and have server-side integrations that help ensure compliance. Celebrus and Freshpaint also provide good options for healthcare providers with different data integration needs.

It’s advisable to consult with each vendor to determine which one fits your organization’s size, digital infrastructure, and specific compliance requirements.

DISCLAIMER: This article does not constitute legal advice. If you are unsure about your organization’s ability to comply with HIPAA guidelines or liability under the recent HHS bulletin, you should consult an attorney.