Decoding Revised OCR Bulletin: Protecting Patient Data

Big news out of HHS OCR: On March 18, HHS updated the December 2022 OCR Bulletin that has been the focus of so much agita. Phase2 experts immediately dug into the material and here are our main takeaways.

2 Substantive Changes

1. The US Department of Health and Human Services (HHS) clarified that IP address alone is not considered Protected Health Information (PHI), according to the Office of Civil Rights. Basically, one can visit any healthcare organization’s non-healthcare pages (such as an "About Us" page), sharing their IP address, without necessarily triggering a PHI disclosure.
2. If a regulated entity (like a healthcare provider) wants to collect online tracking information that includes PHI (which is sensitive and protected under HIPAA), they can choose to work with a software vendor who can de-identify data (like a Customer Data Platform)  if they enter into a BAA. This vendor would then de-identify the PHI in the tracking information and disclose only the de-identified information to tracking technology vendors who are unwilling to sign a BAA directly with the regulated entity.

This is consistent with the path Phase2 has been advising - to pass data through an analytics proxy, sanitizing the data before sending it downstream for analysis, action, or storage.

Further Interpretation is Needed

IP addresses alone, on unauthenticated web pages, are not considered PHI. Merely identifying a healthcare entity in a domain name or location isn't enough to constitute health information. The real distinction lies in identifying interest in health conditions, symptoms, or specialties. The degree of specialization of the facility determines the level of necessary information protection. 

For instance, direct communication between a browser and Google Maps about a hospital's main location is not considered PHI, but specialty facilities like oncology or reproductive health centers may need to be protected. Examples like this indicate that certain scenarios are nuanced and require expertise and knowledge of the guidelines.

Looking for guidance on navigating the latest updates from HHS OCR? Phase2 is your digital experience partner for healthcare. We are passionate about customer experience, grounded in data and insights, and rooted in more than two decades of successful technology delivery. We specialize in navigating complex technology and turning it into manageable, actionable growth opportunities. Speak with our experts today.