Ask a Healthcare Lawyer: HIPAA Compliance for Healthcare Marketers

Since HHS first issued its guidance on the use of online tracking technologies, along with later updates, healthcare organizations have faced uncertainty. Marketers, compliance, and legal teams within these organizations often find themselves without clear directives.

To address this ambiguity, we sought insights from an expert in the field. Doriann Cain, a Partner at Faegre Drinker, generously dedicated her time to respond to a wide range of questions.

Read on to get all her answers (And if you want to chat directly with Doriann about any of her answers, fill out this form and we’ll connect you).

In Dori’s interpretation, she explains that PHI is any individually identifiable information about a person's past, present, or future physical or mental health condition, provision of healthcare, or past, present, or future payment of health care.

So here, you're really looking at whether it relates to a physical or mental health condition, the provision of healthcare, or the payment of healthcare. That's what constitutes PHI under HIPAA.

👉 Talk to Dori about this question and her answer

As Dori explains, when thinking about health context from a tracking technology standpoint, you're thinking about what an individual is trying to do on that website.

And by tracking them, can you tell that they're actually trying to obtain some type of healthcare or the provision of healthcare? Are they trying to pay for their healthcare? Or are they trying to address the past, present, or future health condition that they may have?

👉 Talk to Dori about this question and her answer

In Dori’s view, it's helpful to look at this in reverse. OCR has issued guidance regarding the de-identification of PHI. Under that de-identification guidance, OCR states that you have to de-identify 18 different data points for information to actually be de-identified.

So, looking at that in the reverse, OCR states that if those identifiers are tied to a past, present, or future health condition, the provision of healthcare, or the payment of healthcare, that is going to be PHI. So, HIPAA identifiers under that guidance include things like name, address, birthday, social security number, and IP  address.

👉 Talk to Dori about this question and her answer

In Dori’s opinion, sending PHI to a vendor that is not a business associate, and specifically states that they do not need PHI to perform their services, is a violation of HIPAA. OCR is going to go after the covered entity.

👉 Talk to Dori about this question and her answer

Dori explains that responsibility sits with the covered entity. They need to be aware of who's a business associate.

Business associates are also directly liable under HIPAA. However, in this instance, if an ad platform specifically states, " We don't want PHI and we're not HIPAA compliant,” then that obligation is with the covered entity. So, the knowledge regarding what is and what is not PHI sits with the covered entity. The covered entity should conduct its due diligence to understand what exactly is in that transmission of data.

👉 Talk to Dori about this question and her answer

In Dori’s view, the liability doesn't sit with the healthcare organization when that ad platform is collecting the data because that is not being done on the healthcare organization's website. There's no tie to that specific covered entity here.

It's essentially an all inclusive type of search where the searcher could go to any healthcare organization that may be connected to those keywords. The information is not stemming from the covered entity.

👉 Talk to Dori about this question and her answer

In Dori’s interpretation, yes, that would be acceptable because you're looking at that definition of a business associate. So would that platform be receiving, creating, or transmitting PHI?

And in that instance, if you don't have PHI, you don't have a business associate.

👉 Talk to Dori about this question and her answer

An ad click ID on its own doesn’t count as protected health information (PHI). It’s similar to an IP address — it can identify a person, but without any link to healthcare services or payment, it’s not PHI. It only becomes PHI when the identifier is tied to information about someone’s care or healthcare transactions.

👉 Talk to Dori about this question and her answer

In Dori’s view, this is not PHI under HIPAA because you're not connecting that to the provision or payment of healthcare services.

So, here, you don't have that second component of the definition of PHI. Since you're missing half of the definition, it wouldn't constitute PHI.

👉 Talk to Dori about this question and her answer

Dori states that you need to have those identifiers be associated with health information.

And in that context, if you're not connecting that to the provision or payment of health care, then it does not constitute PHI under HIPAA.

👉 Talk to Dori about this question and her answer

An IP address by itself typically doesn’t constitute protected health information (PHI). The confusion stems from OCR’s guidance, which suggested that tracking technologies collecting IP addresses on certain healthcare pages could involve PHI. The key is context: if an IP address is connected to someone actively seeking care, like searching for a doctor for migraines or selecting “new patient” on a form,  it can rise to the level of PHI. But in most cases, IP addresses collected on general, unauthenticated web pages are not PHI.

In June 2024, a federal court clarified this further by vacating the part of HHS’s online tracking guidance that treated an IP address combined with a visit to a specific health-related webpage as enough, on its own, to be PHI. The court ruled that “mere” IP-plus-page-visit is not sufficient. 

Still, this doesn’t mean it’s now permissible to freely share IP addresses under HIPAA. Context remains critical, particularly on authenticated pages or when visit data is tied to a person’s care or payment. And as healthcare lawyer Jen Pike emphasizes, HIPAA isn’t the only concern — State Attorneys General, the FTC, and class actions are still actively scrutinizing how organizations collect and share tracking data.

👉 Talk to Dori about this question and her answer

Dori clarifies that merely having an identifier on an unauthenticated webpage, where a viewer seeks general information about a healthcare system's foundation, does not constitute Protected Health Information (PHI). If the interaction is limited to gathering information about the foundation without any connection to seeking healthcare services, then, in her interpretation, it does not involve PHI.

👉 Talk to Dori about this question and her answer

As Dori explains, a visit to a healthcare organization's website does not constitute PHI. There are many different situations in which an individual might visit a website. And so assuming that just viewing a web page is PHI goes above and beyond what OCR would consider PHI.

👉 Talk to Dori about this question and her answer

In Dori’s view, there are other web trackers for organizations to monitor. A major thing organizations could really incorporate into their annual risk assessment is obtaining exactly what tracking technologies they're utilizing and what information they're disclosing to those third parties.

This is a project where you look at tracking technologies as a whole and figure out again whether that tracking technology is first-party or third-party.

And then, if it’s 3rd party, what information are we disclosing back to that tracking technology, and if anything, does it constitute PHI? And if it does constitute PHI do we have a business associate agreement in place with that organization?

👉 Talk to Dori about this question and her answer

Dori explains if a healthcare organization specializes in treating a specific condition, visiting its homepage might imply that the visitor intends to receive those services. However, this assumption stretches beyond OCR's intention with its guidance and the definition of PHI.

While initially, one might assume that a page visit directly correlates with seeking healthcare, various reasons, such as inquiries by family members or legal representatives, complicate this assumption. In Dori’s view, this interpretation exceeds the scope of what the OCR aims to address in its guidance.

Instead, healthcare organizations should focus on more definitive indicators of intent to receive services, such as the presence of dropdown menus or fields where personal information and intent can be explicitly provided. These elements are more indicative of an individual's attempt to access specific services from the organization.

👉 Talk to Dori about this question and her answer

Dori explains in November 2023, AHA came out and alleged that the OCR guidance did a few things. One point that they made is that it exceeded OCR statutory authority and violated the Administrative Procedure Act (APA).

Essentially, they view this guidance to be arbitrary and capricious because it did not undergo the proper notice and comment rulemaking process.

Before something can become legally effective, there has to be notice, and individuals get to comment on that. Then, they process those comments, and then something becomes law.

And so their argument is, “Organizations never had an opportunity to respond to this. And so you're violating the APA here.”

👉 Talk to Dori about this question and her answer

Dori recommends conducting an analysis to address the complexities and legal challenges associated with tracking technologies, guided by OCR recommendations or other relevant statutes. As a basic compliance measure, it's crucial to understand which tracking technologies are in use and what information they collect, especially in determining what constitutes PHI.

For instance, the presence of dropdown menus, fields for entering personal information, login pages, or search functions for specific providers are key areas to scrutinize, as they might link identifiers with health information.

Clarification is essential, especially if current guidance on the use of tracking technologies on unauthenticated pages is revised. However, the analysis should extend to authenticated pages or those explicitly associated with health information.

Moving forward, organizations should evaluate the risks associated with tracking technologies. While some may choose to disable all tracking to ensure HIPAA compliance, others may prefer to reassess their use of such technologies. It's about balancing the organizational risk tolerance with compliance needs, recognizing that an IP address, in most cases, does not alone constitute PHI.

Editor’s note:

Since this recording, the AHA lawsuit has been decided. In June 2024, a federal court narrowed HHS’s guidance, ruling that an IP address plus a webpage visit is not enough, on its own, to be PHI. Still, Dori’s recommendations remain relevant: organizations should continue assessing their tracking technologies in context and consider other enforcement risks from State Attorneys General, the FTC, and class actions.

👉 Talk to Dori about this question and her answer

Prior to the lawsuit being resolved, Dori felt that even if the AHA were to win its lawsuit against OCR, it wouldn’t halt class action lawsuits. Because HIPAA doesn’t allow for a private right of action, plaintiffs instead turn to other laws — such as the Video Privacy Protection Act and various federal and state wiretapping statutes — to file suits. This makes it essential for organizations to understand their risks under these laws, ensure privacy policies are clear about how tracking technologies are used, and obtain appropriate consent before sharing personal information.

More recently, Jen Pike has expanded on why these lawsuits are gaining traction. Plaintiff attorneys can easily detect tracking technologies on healthcare websites, which makes filing suits straightforward. With more than 200 cases filed in just the past two years, frequent settlements have further encouraged this wave of litigation. Jen also notes that changes in HHS guidance don’t alter these risks. Class action lawsuits, state laws, and FTC actions operate independently of HIPAA, often with significant statutory damages at stake.

Editor’s note:

Since this recording, the AHA lawsuit has been decided. The June 2024 ruling narrowed HHS’s tracking guidance but didn’t change the broader litigation landscape. As Dori and Jen highlight, class actions remain a growing risk because they are grounded in other legal avenues — not HIPAA itself.

👉 Talk to Dori about this question and her answer

Dori does not believe that HHS's guidance was intended to get healthcare organizations to stop using ad platforms. Instead, she interprets it as a request for them to carefully assess and recognize what constitutes PHI when using ad platforms.

This means healthcare organizations need to be aware of the information they disclose, determine if it qualifies as PHI, and ensure they are entering into BAAs or obtaining authorizations from individuals before any disclosure occurs. It's not about ceasing the use of ad platforms altogether, but about ensuring their use complies with HIPAA standards.

👉 Talk to Dori about this question and her answer

Dori’s expertise underscores the importance of clarity around PHI and the use of ad platforms. Staying informed and compliant is crucial for healthcare organizations navigating these complex issues. For further guidance or clarification, reach out to Dori at Faegre Drinker or the Freshpaint team directly.

Freshpaint is a Healthcare Privacy Platform that helps healthcare marketers balance high-performance marketing and HIPAA compliance.