Over the past year or so, we've received numerous requests from healthcare clients to remove third-party tracking pixels from their websites.  In  some instances these removals were conditional based upon he page visited in others the removal was sitewide.

This work was in response to a pair of bulletins published by the US Department of Health and Human Services which made it a violation of HIPAA to have third-party web technologies that capture the user's IP address on their site.  The contention was, an IP address of a user makes the user sufficiently identifiable.  If that user then visits a page describing a condition such as cancer, HHS said that it was enough of a connection to consider it a disclosure of individually identifiable health information to the third party and thus a violation of HIPAA.

In a 31 page ruling just handed down by the US District Court, Judge Mark Pittman has determined that restrictions on using third-party web technologies are unlawful.

This makes sense for two reasons, one technical and one obvious:

1. Technical:  An originating IP address does not equal identity.  An IP address identifies a piece of machinery such as a firewall or router - sometimes it can identify a device such as a laptop computer but it can not identify a person.
2. Obvious:  A visit to a page describing a condition does not mean the visitor has that condition.

Given these two reasons, it seemed an odd over-reach at the time and the cause of a lot of expense and wasted time by the healthcare industry.  Indeed the judge concluded the ruling with the following observation:

"But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power. More precisely, it’s a case about our nation’s limits on executive power."

And so, we are back to including tracking pixels such as Google Analytics, Facebook, etc. across healthcare websites.  That is, until the next ruling.

Full Text of Ruling (374.8 KB)