Global Edition
Government & Policy

AHA says OCR's online tracking tool rules need to go

The American Hospital Association says new regs from the HHS Office for Civil Rights clash with HIPAA, contradict interoperability efforts and are "flawed as a matter of law and harmful as a matter of policy."
By Andrea Fox
October 03, 2023
10:28 AM

AHA says OCR's rules limit the ability of hospitals to assess how their patients use their websites and access important health-related information.

Photo: Adrienn/Pexels

In a letter to the Senate Committee on Health, Education, Labor and Pensions, the American Hospital Association said the U.S. Health and Human Services Office of Civil Rights rule regarding the use of online tracking tools is at odds with existing HIPAA rules and could cause meaningful harm to patients and public health.

"Congress should urge OCR to withdraw the rule immediately," AHA said in its response to a request for information on data privacy and HIPAA.

WHY IT MATTERS

On behalf of AHA and its members – 5,000 healthcare organization members, 270,000 affiliated physicians, two million nurses and other caregivers, and 43,000 healthcare leaders – the organization told the HELP Committee that it believes the current HIPAA rules are an effective framework for sharing patients’ protected health information "without creating significant impediments to the robust use and disclosure of information necessary to support high-quality care."

For these reasons, the AHA "does not believe that Congress should make any major revisions to HIPAA at this time," the organization said by letter on September 28.

AHA, however, noted two specific issues that "would benefit from congressional attention" – OCR's December rule regarding the use of online tracking tools and the various state privacy regulations that pile on HIPAA.

In its September RFI, the HELP Committee asked stakeholders for feedback on a number of questions about health data and accountability, including whether accountable entities should have a duty of loyalty to patients and how it could be imposed so as to minimize burdens on those entities.

"Should requirements of such a duty be based on the sensitivity of collected data?" 

While saying it believes that no changes to HIPAA are needed at this time, AHA asked Congress to urge OCR to withdraw its December rule barring healthcare organizations from using online tracking tools to collect information about how users interact with regulated entities’ websites. 

The association said the rule has resulted in consequences that contravene OCR's efforts to encourage hospitals to share non-private healthcare information with the public.

"This rule is flawed as a matter of law and harmful as a matter of policy," the AHA asserted.

Hospitals and health systems are caught between OCR's "unlawful rule" governing the use of online tracking tools and third-party vendors, and they are not able to provide "the most reliable health information available," AHA said. 

"Without consulting healthcare providers, third-party technology vendors or the public at large, the agency issued a sub-regulatory guidance document that has had profound effects on hospitals, health systems and the communities they serve."

In the new rule, "OCR took the position that when an online technology connects an individual’s IP address with a visit to a public webpage that addresses specific health conditions or healthcare providers, that combination of information is subject to restrictions on use and disclosure under HIPAA," AHA explained. 

"Thus, website visitors’ IP addresses are protected even if they are not actually seeking medical care." 

In OCR’s "misguided view," the same HIPAA protections apply if visitors search for any medical information, such as general health information, information for a relative, academic research and more – and that violates HIPAA, AHA argued. 

HIPAA and its implementing regulations "strike a balance," protecting patient privacy while permitting "important uses of information," according to AHA. 

AHA said OCR's online tracking tools policy means that hospitals and health systems can no longer rely on third-party technologies like Google Analytics, YouTube and other video applications.

Without analytics, organizations cannot judge which areas of a website patients are having trouble navigating, the level of community concern for particular medical concerns and more. 

"These tools allow hospitals to more effectively allocate resources and help community members to more easily find the healthcare information that they are seeking," AHA said.

Without third-party maps and location services, hospitals are pressed to provide better information about where healthcare services are available, the organization gave as an example. They'll be forced to restrict the use of tools like embedded bus schedules or driving directions to and from a patient's location.

Limiting video technologies also minimizes the range of health information health systems can share with the communities they serve, said AHA.

"Hospitals and health systems cannot risk the serious consequences that flow from OCR’s unlawful rule, including HIPAA enforcement actions, class action lawsuits or the loss of significant investments in existing websites," AHA said in its request.

Meanwhile, third parties can decline to sign business associate agreements that would commit them to protecting private patient information, AHA noted.

"If the OCR’s new rule is permitted to stand, hospitals and health systems will be forced to restrict the use of valuable third-party technologies like these."

In addition, AHA has long advocated that HIPAA’s requirements be the uniform nationwide standard for protecting the privacy and security of all patient information. Because the HIPAA framework is both effective and entrenched, Congress should enact full federal preemption for HIPAA, the hospital organization said.

"The patchwork of differing requirements poses significant challenges for providers’ use of a common electronic health record that is a critical part of the infrastructure necessary for effectively coordinating patient care and maintaining population health," said AHA.

"For all the strengths of the existing HIPAA framework, its approach to preemption has proven to be problematic," the group claimed in the HELP Committee letter. 

"In addition, the existing state and federal patchwork of health information privacy requirements remains a significant barrier to the robust sharing of patient information necessary for coordinated clinical treatment," said AHA. "If Congress were to make any changes to HIPAA, it should address this problem and enact a full preemption provision."

THE LARGER TREND

In July, OCR and the Federal Trade Commission sent a warning letter to hospitals about online tracking pixels reminding healthcare organizations about their responsibilities for third-party disclosures of protected health information under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.

"Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule," HHS said in the bulletin.

Many health systems are involved in class action lawsuits over alleged breaches of PHI. Earlier this year, several Louisiana hospitals were accused of sharing medical conditions, prescriptions, doctors' names and previous appointments with Facebook when patients scheduled appointments online or through patient portal apps. In August, Advocate Aurora Health agreed to settle a class action lawsuit for $12.2 million related to the health system's October 2022 announcement that it had notified nearly three million patients in Illinois and Wisconsin of a potential data breach involving pixel trackers

AHA noted in its RFI response letter to the Congressional Committee those warning letters included a press release that supported threats of consequences for violating the December rule.

"OCR stated that it is 'concerned' that hospitals’ use of these technologies results in 'impermissible disclosures of health information — an issue that OCR 'will use all of its resources to address,'" AHA said, noting that last month OCR publicly released the names of all hospitals and health systems that received its warning letter.

ON THE RECORD

"Courts have already concluded that the interpretation of individually identifiable health information offered by HHS in its guidance "goes well beyond the meaning of what the statute can bear," AHA said in its letter to the Senate.

"HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, it strikes the appropriate balance between health information privacy and valuable information-sharing," the group added. "Varying state laws only add costs and create complications for hospitals and health systems."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Analytics, Compliance & Legal, Government & Policy, Patient Engagement, Population Health, Privacy & Security

More regional news

UnitedHealth Group Optum building

Optum Virtual Care said to be closing down

By
Andrea Fox
April 26, 2024
Dr. Yinka Oyelese of Beth Israel Deaconess Medical Center on ultrasound AI

AI can make maternal ultrasonography more accessible, accurate and efficient

By
Bill Siwicki
April 26, 2024
John Halamka, president, Mayo Clinic Platform, and Arcadia president and CEO Michael Meucci with Kate Milliken

Prepare for success before deploying healthcare AI

April 26, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Dr. Yinka Oyelese of Beth Israel Deaconess Medical Center on ultrasound AI
AI & ML Intelligence
AI can make maternal ultrasonography more accessible, accurate and efficient

Most Read

HIMSS24 Europe: Interoperability takes centre stage in Rome
Views from the Top sessions offer valuable insights for IT innovation
Virtus Health enhancing IVF patient experience with AI
HSCC publishes 5-year healthcare cybersecurity strategic plan
Healthcare is the big victim of Blackcat's cyber counteroffensive
Highmark works with Epic and Google to boost payer-provider data exchange

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

Video

Adam McMullin at AvaSure_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Patient safety gets a boost from AI-powered virtual care
Sponsored by
John Halamka, president, Mayo Clinic Platform, and Arcadia president and CEO Michael Meucci with Kate Milliken
AI should augment, not replace, clinicians’ expertise
Jonathan Bush at Zus Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Independent patient data platform helps advance interoperability
Rachelle Landry at BD Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How to help clinicians understand the value of digital health

More Stories

A radiologist examining X-ray images
National University Hospital launching AI-driven...
Heidi Wold at Longevity Health Plan_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Patients benefit from post-acute care
Wes Cronkite of TruBridge on AI
Highlighting rural voices is imperative for equitable, bias-free healthcare AI
Dr. Bill Frist and Larry Ellison
Oracle launches Autonomous Shield initiative, with eye on cloud cybersecurity
Clinicians consult a tablet
Patch management advice for fixing IoT vulnerabilities
Dr. Jesse M. Ehrenfeld, AMA president_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
AMA leader: Physicians must be the lodestar for IT innovation
Christine Antorini
Recognizing nursing as a calling: A key step toward enhancing workforce sustainability
One of Mercy Health's hospitals in Victoria
Role-based messaging's growing popularity in...