Managed Care Outlook 2025

Business and management - briefcase icon

Read time: 3 minutes

The use of third-party trackers to power data-driven marketing continues to present regulatory and class action risk for managed care organizations. A primary factor relating to increased risk for MCOs was the bulletin released by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which described potential HIPAA noncompliance arising from the use of third-party trackers. In March 2024, OCR revised the bulletin, and part of it was vacated by a federal district court. But recent guidance from federal regulators indicates that risks remain. In light of this risk, managed care organizations should ensure they evaluate their use of third-party tracking technologies.

Why did OCR revise the bulletin?

The bulletin, originally released in December 2022, explained that impermissible disclosures of protected health information (PHI) can occur through routine tracking tools on websites made available by HIPAA-regulated entities, and that these disclosures could lead to breach-notification obligations under HIPAA. In particular, OCR took the position that PHI exists if a third-party tracker connects (1) an individual’s IP address with (2) a visit to a regulated entity’s unauthenticated public web page addressing specific health conditions or listing health care providers (the Proscribed Combination).

OCR issued a revised version of the bulletin in March 2024 that sought to clarify regulated entities’ obligations with respect to the Proscribed Combination, but the revised bulletin appeared to suggest a standard that would be effectively impossible for companies to meet. Essentially, the revised bulletin suggested that whether the Proscribed Combination constituted PHI depended on the subjective intent of the web page visitor. According to the revised bulletin, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s web page listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student; but if an individual were looking at a hospital’s web page listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that web page would be a disclosure of PHI to the extent that the information was both identifiable and related to the individual’s health or future health care.

In June 2024, the U.S. District Court for the Northern District of Texas vacated the portion of the bulletin related to the Proscribed Combination, finding that the bulletin “improperly create[s] substantive legal obligations for covered entities.” HHS initially appealed that decision but then withdrew the appeal on August 29.

Key takeaways
  • Although a court vacated portions of OCR's guidance on third-party trackers, they remain a focus of regulators and class action plaintiffs
  • MCOs should align third-party tracker use with public statements and privacy notices per recent FTC guidance
  • Organizations should inventory third-party trackers to identify those with risks outweighing benefits
Download full report
Download full report
Download