Penrod Blog

A Complete Guide to the OCR Ruling

Written by Matt Fiel

Impermissible disclosures of Protected Health Information have severe repercussions. For instance, the breaches can result in hefty fines, legal action, and significant damage to your organization's reputation.

For this reason, it really matters to stay vigilant about policy changes, which happen from time to time. One recent change is the 2024 update to the OCR ruling which provides detailed guidance on the use of online trackers and Customer Data Platforms.

A Brief Background of the Original OCR Ruling

In 2022, the Department of Health and Human Services Office for Civil Rights issued the original OCR ruling. This bulletin laid out specific guidelines on the use of online tracking technologies on mobile applications and websites belonging to HIPAA-regulated agencies.

Primarily, the original OCR ruling defined what online trackers are and their uses on sites and apps. Additionally, the 2022 OCR ruling outlined steps for HIPAA-regulated agencies to follow when using trackers like Google Analytics.

The original OCR ruling prohibited regulated agencies from using trackers in any way that could violate HIPAA rules or lead to impermissible disclosures. For example, regulated entities could not use trackers to collect identifiers like medical record numbers.

All the same, the HIPAA regulated entities were at liberty to use trackers for other website analytics purposes. In particular, the regulated enterprises could use trackers to monitor things like traffic patterns, user engagement, and website performance without an issue.

An Overview of the Updated OCR Guidance

On March 18, 2024, the HHS issued an updated guidance to further increase clarity on the use of online tracking technologies. Again, under the new guidance, the HHS allowed regulated entities to use trackers to analyze how users interact with their websites and apps.

However, the updated OCR guidelines emphasize that HIPAA rules apply when regulated entities use trackers to collect or disclose PHI. In such a scenario, the entities must seek authorization from owners lest they commit an impermissible disclosure.

Moreover, the updated OCR guidelines highlight the actual cost of impermissible disclosure to patients. These include breaches of patient privacy, mental anguish, and identity theft. Impermissible disclosure can also lead to patient stigma and discrimination.

To its end, the 2024 OCR bulletin provides guidance on how HIPAA rules apply when regulated entities use tracking technologies on mobile applications, user authenticated web pages, and unauthenticated web pages.

How Customer Data Platforms Comply With the New OCR Ruling

According to the new OCR guidance, HIPAA-regulated entities must sign a BAA with any web trackers that have access to Protected Health Information. The requirement ensures that any third party handling PHI is contractually obligated to comply with HIPAA’s privacy standards.

Since many third party trackers do not sign BAAs, regulated entities might not be able to directly use third-party trackers like Google Analytics, Google Maps, and Facebook’s meta pixel. Nevertheless, the need to sign a BAA doesn’t override the use of third-party online trackers. 

Instead the HHS allows HIPAA regulated entities to take advantage of online trackers through intermediate vendors, more specifically Customer Data Platforms. 

Why Use CDPs for OCR Bulletin Compliance?

There is one main reason why the HHS recommends CDPs for OCR bulletin compliance — they act as intermediaries between entities and trackers. Essentially, CDPs will sign a BAA and take on the responsibility of de-identifying PHI before it is sent to the non-BAA-compliant trackers.

Other than signing BAAs, the Customer Data Platforms also facilitate server-side connections to platforms that typically do not sign BAAs. These platforms include Google Analytics, Facebook’s Meta Pixel, and Google Maps.

As secure intermediaries, the CDPs take charge of de-identifying PHI before it is transmitted to third-party trackers. With this de-identification, healthcare organizations can leverage powerful analytics without violating HIPAA regulations.

Using Salesforce Data Cloud to Satisfy the Legal Requirements of the Bulletin

Salesforce Data Cloud is one Customer Data Platform that HIPAA-regulated entities like healthcare providers, health plans, and their business associates can count on when striving to comply with the updated OCR bulletin.

Unlike other regular CDPs, Salesforce Data Cloud is designed for the complex needs of healthcare organizations. Besides being designed around healthcare needs, the following are reasons why Salesforce Data Cloud is the CDP of choice in OCR bulletin compliance.

1. Salesforce Data Cloud Signs BAAs for Data Cloud Licenses

Salesforce signs BAAs for Data Cloud, ensuring compliance with the new OCR bulletin. With the BAA agreement, Salesforce commits to implement appropriate safeguards to protect PHI. These safeguards protect regulated agencies from the liabilities associated with impermissible disclosures.

2. Salesforce Data Cloud Stores PHI in a HIPAA Compliant Environment

Salesforce stores PHI and identifiers from web visitors within a secure and monitored environment. This safe storage further enhances compliance with the OCR bulletin by minimizing access to sensitive data. 

3. Salesforce Data Cloud Redacts PHI on the Server Side

Salesforce Data Cloud identifies and redacts PHI on the server side before it is sent to any of the hundreds of supported destinations, such as Facebook’s Meta Pixel, Google Analytics, and Google Maps.

The redaction ensures that no identifiable health information is shared with third-party services that do not sign BAAs. As a result, regulated entities get to maintain patient privacy and adhere to HIPAA’s data protection standards.

Get an OCR Ruling Readiness Website Analysis From Penrod

Non-compliance with the updated OCR bulletin can result in hefty monetary penalties and a range of other inconveniences like loss of reputation. However, with Penrod on your side, you can avoid getting on the wrong side of the updated OCR regulations

We will run a thorough analysis to identify trackers running on your site and mobile applications. Thereafter, we will pinpoint the trackers that aren’t OCR or HIPAA compliant, and suggest recommendations to make your website fully compliant.

About The Author


Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to get compliant?

Get a free OCR compliance action plan.

Schedule a 30-minute consultation on the right and get compliant.