Abstract

Since the final Privacy Rule was issued more than two decades ago, Internet Protocol (IP) address numbers, URLs, device identifiers and "[a]ny other unique identifying number, characteristic, or code" have been among the data elements that must be removed in order for a data set to qualify under the HIPAA de-identification safe harbor. According to a U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) bulletin issued in December 2022 (2022 Bulletin), it did and they were. The 2022 Bulletin also stated that any information collected about visitors to a public website, even an unauthenticated site, "is indicative that the individual has received or will receive health care services or benefits from the covered entity." [...]OCR's original view was that any disclosure of tracking tools to third parties would require a HIPAA business associate agreement with thirdparty tracking vendors, or a full HIPAA compliant patient authorization. The opinion stated that "[t]his Court knows a law when it sees one, and the Proscribed Combination is a law. [...]the Revised Bulletin is a 'final agency action' subject to judicial review."