For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s PHI to tracking technology vendor. This is true even if there is a reasonable basis to believe that the information can be used to identify the user who visited the webpage, because the online tracking technologies in this example did not have access to information about an individual’s past, present, or future health, health care, or payment for health care.
Further, visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor if the visit is not related to an individual’s past, present, or future health, health care, or payment for health care.

For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.
Tracking technologies on a regulated entity’s unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool without entering credentials may have access to PHI in certain circumstances.

For example, tracking technologies might collect an individual’s email address, or reason for seeking health care typed or selected by an individual, when the individual visits a regulated entity’s webpage and makes an appointment with a health care provider or enters symptoms in an online tool to obtain a health analysis. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply. This is because, unlike the general situation for many unauthenticated webpages, the information collected in this example meets the definition of IIHI.

U.S. Healthcare Homepage