On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA-protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA-covered entities and business associates that have already heeded the 2022 bulletin.
OCR Update on Tracking Technologies Provides Little Relief for HIPAA-Regulated Entities
By Jennifer S. Geetter, David Quinn Gacioch, Elliot R. Golding, Daniel F. Gottlieb, Ryan S. Higgins and Edward G. Zacharias on May 14, 2024
Jennifer S. Geetter
Jennifer S. Geetter advises global life sciences, health care and informatics clients on legal issues attendant to biomedical innovation, research compliance, financial relationship management, digital health practices, and global privacy and data security laws. Jennifer represents a broad range of clients. Read Jennifer Geetter's full bio.
David Quinn Gacioch
David Quinn (Dave) Gacioch focuses his practice on litigation and enforcement defense, primarily related to the US healthcare sector. Dave counsels hospitals, health systems, physician practices, and other providers, along with payors, private equity sponsors, pharmaceutical and medical device manufacturers, and others involved in the US healthcare system, on compliance and risk mitigation issues. He conducts internal investigations for clients, and represents them in government investigations, enforcement actions, and civil and criminal litigation, including class actions. Read David Gacioch's full bio.
Elliot R. Golding
Elliot Golding provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine Learning tools. He provides both day-to-day product counseling and helps companies develop global compliance programs that harmonize CCPA/CPRA (and equivalent laws in Virginia, Colorado, and Utah); GDPR and other international laws; specific rules in the highly regulated health and financial sectors (HIPAA/HITECH, ONC Information Blocking and CMS Interoperability Rules, 42 CFR Part 2, the Common Rule, GLBA, and state equivalents); marketing rules (TCPA, CANSPAM, and industry self-regulatory standards); security standards (such as PCI-DSS, NIST, and ISO); and many others. Elliot has also managed hundreds of breaches and ransomware attacks, guiding clients through all aspects of investigation, notification, remediation and engagement with regulators. Read Elliot Golding's full bio.
Daniel F. Gottlieb
Daniel F. Gottlieb counsels a wide range of health care industry clients, including health care providers, health plans, health information technology (IT) vendors and life sciences companies. He represents these entities on health IT acquisitions, privacy and data protection, reimbursement, fraud and abuse, and other health care regulatory and transactional matters. Daniel is a co-leader of the Firm’s Global Privacy and Cybersecurity Practice. Read Daniel Gottlieb's full bio.
Ryan S. Higgins
Ryan S. Higgins focuses his practice on representing hospitals, health systems, private equity firms and platform companies, and other health care organizations in corporate and transactional matters, including mergers, acquisitions, joint ventures and management arrangements. He also devotes a significant portion of his practice to representing health care organizations in matters involving health information privacy and security and Health Insurance Portability and Accountability Act (HIPAA) compliance. Ryan serves on the Chicago's office Pro Bono Committee and is heavily involved in pro bono matters. Read Ryan Higgins' full bio.
Edward G. Zacharias
Edward G. Zacharias is the managing partner of McDermott’s Boston office. Clients across the healthcare industry and beyond turn to him for practical, business-oriented counsel on their most significant privacy and cybersecurity compliance, healthcare regulatory and transactional matters. Ed’s clients include “Big Tech” companies, health information technology and digital health companies, healthcare providers, insurers, electronic health record platforms, pharmacies, drug and device manufacturers, life sciences companies and health services vendors. Read Edward Zacharias' full bio.
Jennifer S. Geetter advises global life sciences, health care and informatics clients on legal issues attendant to biomedical innovation, research compliance, financial relationship management, digital health practices, and global privacy and data security laws. Jennifer represents a broad range of clients. Read Jennifer Geetter's full bio.
David Quinn Gacioch
David Quinn (Dave) Gacioch focuses his practice on litigation and enforcement defense, primarily related to the US healthcare sector. Dave counsels hospitals, health systems, physician practices, and other providers, along with payors, private equity sponsors, pharmaceutical and medical device manufacturers, and others involved in the US healthcare system, on compliance and risk mitigation issues. He conducts internal investigations for clients, and represents them in government investigations, enforcement actions, and civil and criminal litigation, including class actions. Read David Gacioch's full bio.
Elliot R. Golding
Elliot Golding provides business-oriented privacy and cybersecurity advice to global companies spanning virtually every sector of the economy, with particular expertise in the technology, health care/life sciences, retail/ecommerce, automotive and financial sectors. His practical approach gives clients actionable advice to help balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, biometrics, the Internet of Things, data monetization, online advertising technology and Artificial Intelligence/Machine Learning tools. He provides both day-to-day product counseling and helps companies develop global compliance programs that harmonize CCPA/CPRA (and equivalent laws in Virginia, Colorado, and Utah); GDPR and other international laws; specific rules in the highly regulated health and financial sectors (HIPAA/HITECH, ONC Information Blocking and CMS Interoperability Rules, 42 CFR Part 2, the Common Rule, GLBA, and state equivalents); marketing rules (TCPA, CANSPAM, and industry self-regulatory standards); security standards (such as PCI-DSS, NIST, and ISO); and many others. Elliot has also managed hundreds of breaches and ransomware attacks, guiding clients through all aspects of investigation, notification, remediation and engagement with regulators. Read Elliot Golding's full bio.
Daniel F. Gottlieb
Daniel F. Gottlieb counsels a wide range of health care industry clients, including health care providers, health plans, health information technology (IT) vendors and life sciences companies. He represents these entities on health IT acquisitions, privacy and data protection, reimbursement, fraud and abuse, and other health care regulatory and transactional matters. Daniel is a co-leader of the Firm’s Global Privacy and Cybersecurity Practice. Read Daniel Gottlieb's full bio.
Ryan S. Higgins
Ryan S. Higgins focuses his practice on representing hospitals, health systems, private equity firms and platform companies, and other health care organizations in corporate and transactional matters, including mergers, acquisitions, joint ventures and management arrangements. He also devotes a significant portion of his practice to representing health care organizations in matters involving health information privacy and security and Health Insurance Portability and Accountability Act (HIPAA) compliance. Ryan serves on the Chicago's office Pro Bono Committee and is heavily involved in pro bono matters. Read Ryan Higgins' full bio.
Edward G. Zacharias
Edward G. Zacharias is the managing partner of McDermott’s Boston office. Clients across the healthcare industry and beyond turn to him for practical, business-oriented counsel on their most significant privacy and cybersecurity compliance, healthcare regulatory and transactional matters. Ed’s clients include “Big Tech” companies, health information technology and digital health companies, healthcare providers, insurers, electronic health record platforms, pharmacies, drug and device manufacturers, life sciences companies and health services vendors. Read Edward Zacharias' full bio.
Related Posts
- GAO Releases Report on Telehealth
- Navigating Data Privacy Questions Post-Dobbs
- Federal Court Invalidates Key Part of HHS OCR Bulletin Regarding Application of HIPAA to Online Tracking Technologies
- Hospital Settles With OCR for $4.75 Million Over HIPAA Violations
- HIPAA Compliance 101: Lessons from a Recent OCR Settlement
BLOG EDITORS
STAY CONNECTED
TOPICS
ARCHIVES
RECENT POSTS
- Complying With the ‘Relevant Data’ Requirement Under the Final 2024 Mental Health Parity and Addiction Equity Act: A Proposal for a Workable Alternative
- HHS Letter Reiterates Expectations for Language Accessibility
- Employee Benefit Plans: Important Considerations for Year-End and 2025
- Post-Election Outlook: Issues to Watch for Pharmacy Industry Stakeholders
- Post-Election Health Policy Priorities