AHA says OCR's online tracking tool rules need to go

The American Hospital Association says new regs from the HHS Office for Civil Rights clash with HIPAA, contradict interoperability efforts and are "flawed as a matter of law and harmful as a matter of policy."
By Andrea Fox
10:28 AM

AHA says OCR's rules limit the ability of hospitals to assess how their patients use their websites and access important health-related information.

Photo: Adrienn/Pexels

In a letter to the Senate Committee on Health, Education, Labor and Pensions, the American Hospital Association said the U.S. Health and Human Services Office of Civil Rights rule regarding the use of online tracking tools is at odds with existing HIPAA rules and could cause meaningful harm to patients and public health.

"Congress should urge OCR to withdraw the rule immediately," AHA said in its response to a request for information on data privacy and HIPAA.

WHY IT MATTERS

On behalf of AHA and its members – 5,000 healthcare organization members, 270,000 affiliated physicians, two million nurses and other caregivers, and 43,000 healthcare leaders – the organization told the HELP Committee that it believes the current HIPAA rules are an effective framework for sharing patients’ protected health information "without creating significant impediments to the robust use and disclosure of information necessary to support high-quality care."

For these reasons, the AHA "does not believe that Congress should make any major revisions to HIPAA at this time," the organization said by letter on September 28.

AHA, however, noted two specific issues that "would benefit from congressional attention" – OCR's December rule regarding the use of online tracking tools and the various state privacy regulations that pile on HIPAA.

In its September RFI, the HELP Committee asked stakeholders for feedback on a number of questions about health data and accountability, including whether accountable entities should have a duty of loyalty to patients and how it could be imposed so as to minimize burdens on those entities.

"Should requirements of such a duty be based on the sensitivity of collected data?" 

While saying it believes that no changes to HIPAA are needed at this time, AHA asked Congress to urge OCR to withdraw its December rule barring healthcare organizations from using online tracking tools to collect information about how users interact with regulated entities’ websites. 

The association said the rule has resulted in consequences that contravene OCR's efforts to encourage hospitals to share non-private healthcare information with the public.

"This rule is flawed as a matter of law and harmful as a matter of policy," the AHA asserted.

Hospitals and health systems are caught between OCR's "unlawful rule" governing the use of online tracking tools and third-party vendors, and they are not able to provide "the most reliable health information available," AHA said. 

"Without consulting healthcare providers, third-party technology vendors or the public at large, the agency issued a sub-regulatory guidance document that has had profound effects on hospitals, health systems and the communities they serve."

In the new rule, "OCR took the position that when an online technology connects an individual’s IP address with a visit to a public webpage that addresses specific health conditions or healthcare providers, that combination of information is subject to restrictions on use and disclosure under HIPAA," AHA explained. 

"Thus, website visitors’ IP addresses are protected even if they are not actually seeking medical care." 

In OCR’s "misguided view," the same HIPAA protections apply if visitors search for any medical information, such as general health information, information for a relative, academic research and more – and that violates HIPAA, AHA argued. 

HIPAA and its implementing regulations "strike a balance," protecting patient privacy while permitting "important uses of information," according to AHA. 

AHA said OCR's online tracking tools policy means that hospitals and health systems can no longer rely on third-party technologies like Google Analytics, YouTube and other video applications.

Without analytics, organizations cannot judge which areas of a website patients are having trouble navigating, the level of community concern for particular medical concerns and more. 

"These tools allow hospitals to more effectively allocate resources and help community members to more easily find the healthcare information that they are seeking," AHA said.

Without third-party maps and location services, hospitals are pressed to provide better information about where healthcare services are available, the organization gave as an example. They'll be forced to restrict the use of tools like embedded bus schedules or driving directions to and from a patient's location.

Limiting video technologies also minimizes the range of health information health systems can share with the communities they serve, said AHA.

"Hospitals and health systems cannot risk the serious consequences that flow from OCR’s unlawful rule, including HIPAA enforcement actions, class action lawsuits or the loss of significant investments in existing websites," AHA said in its request.

Meanwhile, third parties can decline to sign business associate agreements that would commit them to protecting private patient information, AHA noted.

"If the OCR’s new rule is permitted to stand, hospitals and health systems will be forced to restrict the use of valuable third-party technologies like these."

In addition, AHA has long advocated that HIPAA’s requirements be the uniform nationwide standard for protecting the privacy and security of all patient information. Because the HIPAA framework is both effective and entrenched, Congress should enact full federal preemption for HIPAA, the hospital organization said.

"The patchwork of differing requirements poses significant challenges for providers’ use of a common electronic health record that is a critical part of the infrastructure necessary for effectively coordinating patient care and maintaining population health," said AHA.

"For all the strengths of the existing HIPAA framework, its approach to preemption has proven to be problematic," the group claimed in the HELP Committee letter. 

"In addition, the existing state and federal patchwork of health information privacy requirements remains a significant barrier to the robust sharing of patient information necessary for coordinated clinical treatment," said AHA. "If Congress were to make any changes to HIPAA, it should address this problem and enact a full preemption provision."

THE LARGER TREND

In July, OCR and the Federal Trade Commission sent a warning letter to hospitals about online tracking pixels reminding healthcare organizations about their responsibilities for third-party disclosures of protected health information under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.

"Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule," HHS said in the bulletin.

Many health systems are involved in class action lawsuits over alleged breaches of PHI. Earlier this year, several Louisiana hospitals were accused of sharing medical conditions, prescriptions, doctors' names and previous appointments with Facebook when patients scheduled appointments online or through patient portal apps. In August, Advocate Aurora Health agreed to settle a class action lawsuit for $12.2 million related to the health system's October 2022 announcement that it had notified nearly three million patients in Illinois and Wisconsin of a potential data breach involving pixel trackers

AHA noted in its RFI response letter to the Congressional Committee those warning letters included a press release that supported threats of consequences for violating the December rule.

"OCR stated that it is 'concerned' that hospitals’ use of these technologies results in 'impermissible disclosures of health information — an issue that OCR 'will use all of its resources to address,'" AHA said, noting that last month OCR publicly released the names of all hospitals and health systems that received its warning letter.

ON THE RECORD

"Courts have already concluded that the interpretation of individually identifiable health information offered by HHS in its guidance "goes well beyond the meaning of what the statute can bear," AHA said in its letter to the Senate.

"HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, it strikes the appropriate balance between health information privacy and valuable information-sharing," the group added. "Varying state laws only add costs and create complications for hospitals and health systems."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.