Online Tracking Technology – Clarified

Online tracking technology

Online tracking technology has caused a lot of speculation on what is acceptable or not. Here is a recap in case you missed the ruling last year.

Background & Baseline: HIPAA and Online Tracking

  • The OCR cautioned that certain online tracking technologies (ads, analytical tools, pixels) could potentially collect or disclose personal identifiable health information which is a violation of HIPAA.
  • The OCR and the Federal Trade Commission (FTC) in July 2023 sent letters to hospitals and telehealth organizations, warning of risks where third-party trackers (Google Analytics, Meta Pixel) might be sharing “sensitive health information” outside permitted guidelines of HIPAA.

The core concern: even data collected “passively” (IP addresses, page paths, query strings, referrers) may, in some scenarios, become linked (or inferred) to health conditions or services, thereby turning into PHI (protected health information).

The 2024 OCR “Online Tracking Technologies” Bulletin & Its Revision

  • In March 2024, OCR clarified how covered entities and business associates should consider HIPAA when using online tracking technologies.
  • Key elements of the revised guidance include:
    1. Entities may use online tracking technologies only when such use does not lead to impermissible disclosures of PHI. If sharing PHI with a tracking vendor is necessary, it must occur under a valid Business Associate Agreement (BAA) or through patient authorization, and it must comply fully with HIPAA requirements.
    2. If a vendor is unwilling or unable to sign a BAA, one option is to de-identify or aggregate the data before sharing it, ensuring it no longer qualifies as PHI.
    3. The updated guidance recognizes the complexities of tracking activities on unauthenticated pages (those that do not require a login) and offers greater nuance on when such tracking may involve PHI.

Court Vacates Part of the OCR Guidance

  • In June 2024, a federal court in the Northern Texas removed part of OCR’s “Use of Online Tracking Technologies” guidance. The court determined that OCR exceeded its statutory authority by applying HIPAA to metadata—such as IP addresses—associated with user visits to unauthenticated webpages and by interpreting “individually identifiable health information (IIHI)” too broadly.
  • Specifically, the court invalidated the section of OCR’s guidance that presumed a combination of (1) a user’s IP address and (2) a visit to a public healthcare-related webpage automatically constituted IIHI or PHI, without considering additional context.
  • However, the court did not strike down the entire guidance; provisions related to authenticated user interactions. Such as patient portal logins remain in effect.
  • Following the ruling, HHS voluntarily withdrew its appeal in August 2024. As a result, the court’s decision remains in effect, restricting OCR’s authority in this area.

In practical terms, the ruling relaxes some of the overbroad constraints that the OCR attempted to impose on tracking in public (unauthenticated) settings but does not eliminate HIPAA obligations or the risk from misuse of tracking tools.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

Are annual HIPAA risk assessments necessary?

October 1, 2025
©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC