Jennifer Hennessy and Aaron Maguregui Discuss HHS Web Tracker Guidance

Foley & Lardner LLP partners Jennifer Hennessy and Aaron Maguregui are quoted in the Fierce Healthcare article, “Update to HHS’ controversial web tracker guidance offers little practical relief, legal experts say,” offering insight on the U.S. Department of Health and Human Services’ (HHS) updated guidance on third-party web trackers and protected health information (PHI).

Maguregui said the changes in the guidance are “basically that when a user is not logged in to the secure portion of the website, PHI is created based on a website visitor’s intent. If the user intended to visit the covered entities website to obtain health care services, then their data is PHI,” he explained. “If the user landed on the website by mistake or to see if the company was hiring, their data is not PHI.”

“The issue is that intent, based on an IP address and click of the mouse, is nearly impossible to ascertain,” he noted.

In their blog post on the update, cited in the article, Hennessy and Maguregui write it “did not materially change” HHS’ position on unauthenticated webpages and, as was the case following the December 2022 bulletin that outlined the policy, advised covered entities to review their websites and mobile apps for compliance.

“If tracking technologies are used on unauthenticated websites, assess where tracking technologies may be accessing information regarding an individual seeking health care services,” they wrote. “Note that if the entity has a health condition specific website or is utilizing tools such as calendaring apps, symptom trackers, or questionnaires soliciting medical information, there is a greater likelihood that the entity’s unauthenticated webpages are collecting PHI per HHS.”