Penrod Blog

What’s in the revised OCR Bulletin?

Written by Matt Fiel

If you're like me, you may have struggled to understand the scope of the original OCR ruling.

Now that it's well over a year old, we’ve been able to examine the lawsuits, solutions, and spirited debates between marketing and legal teams that followed—and I was confident I finally understood it.

That is until the OCR released an update to the guidance this month. It was an attempt to clarify the spirit of the guidance, but in some ways, it left me with more questions.

Illustration of bulk email and a Gmail user

In this article, I’ll interpret the updated guidance and describe what has changed – and what hasn’t.

The updated guidance covers three main points:

  • Defining tracking technologies
  • The differences between tracking on authenticated pages, unauthenticated pages, and mobile apps
  • Your obligations under HIPAA

What are tracking technologies?

The updated guidance starts by redefining tracking technology – and this is smart because I get tons of questions from healthcare providers about whether tracking technologies include cookies, scripts, beacons, pixels, network requests, or all of the above. Despite its goal to clarify, the updated guidance still leaves room for interpretation – but I’ll do my best to explain.

According to the OCR, tracking technologies involve placing a script on your website or mobile app. The script could use cookies, web beacons, tracking pixels, session replay scripts, or fingerprinting to identify users, collect data, and track behaviors. However, the bulletin focuses explicitly on third-party trackers, not proprietary trackers that send data to first-party platforms.  

Here are some of the data points that the OCR considers identifiers:

  • Medical Record Numbers
  • Home Address
  • Email Address
  • Appointment Dates
  • IP Address
  • >Geographic Location (More precise than state)
  • Device IDs

What constitutes a violation?

Much of the debate around the original OCR bulletin focused on what a violation was. For instance, does a simple pairing of an identifier like an IP address, device ID, or Google SID with a webpage addressing a health condition constitute a violation?

I’ve played mediator between marketing and legal teams seeking to answer this question, and that’s no easy task due to their underlying goals. Marketing aims to gather as much data as possible, and legal seeks to mitigate as much risk as possible.

Unfortunately, the updated ruling is still too vague to provide a healthy balance between marketers and legal teams. 

Here’s the best way I can describe it: 

It does not constitute a violation if the webpage is unrelated to an “individual’s past, present, or future health, health care, or payment for health care.” So, whether a violation has occurred entirely depends on why users access information and the type of page they visit. 

The page type comes down to authentication, which is another way of asking, “Is the user logged into a portal or mobile app?” 

Authenticated webpages

Let me be clear. I would not put any third-party trackers on an authenticated web page unless you have a BAA with the tracker – and the OCR bulletin aligns with this conservative approach. It states:

“A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule.”

It goes on to say that tracking technologies are business associates, so you must have a business associate agreement (BAA) in place with them. Famously, Google Analytics will not sign a BAA, so I do not recommend using Google Analytics on authenticated portals. 

Authenticated webpages

Unauthenticated webpages serve a wide spectrum of purposes, from general information, visiting hours, policies, services, operations, and conditions to career opportunities. 

Part of the problem is that you probably don’t know for sure why a user is visiting your website. Are they searching for job opportunities? Are they a student researching information? Or are they prospective patients?

Ultimately, because their intent is unknowable, you need to treat all these visits equally. 

The OCR bulletin focuses on pages related to conditions, operations, and services—anything related to an individual’s past, present, or future healthcare. If a user is browsing your website for potential procedures, questions about their health, or anything related to their health, you cannot pair an identifier with PHI unless you have a BAA. 

Mobile Apps

Mobile apps are often built on frameworks that may disclose PHI and frequently include third-party trackers, just like a webpage. So, when paired with a name, mobile phone number, IP address, or device ID, disclosure of a health condition is considered a violation of the OCR bulletin.

The safest interpretation of this law requires covered entities to enter BAAs with every vendor participating in the mobile application, including the framework and tracking technologies.


The updated OCR bulletin ends with a blunt warning. They prioritize investigations into online tracking technologies by ensuring healthcare providers identify the trackers used, assess their risk, and mitigate the risk of PHI disclosure. 

Avoiding non-compliance

In summary, the updated OCR bulletin comes down to four primary actions. 

  • Ensure that PHI is not paired with a user identifier when sent to third-party trackers.
  • Ensure that you’re sending the minimum amount of PHI necessary.
  • Ensure a BAA is in place with vendors receiving PHI linked with an identifier.
  • Ensure tracking technologies are part of your risk management process and safeguard PHI with administrative, physical, and technical safeguards.
  • Ensure you have a breach notification process in place.

About The Author

Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to Transform

Looking to avoid a violation?

Schedule a consultation with an expert consultant at Penrod and get a free compliance action plan. Pick out a time that works for you on the right!