The update to the 2022 bulletin emphasizes the importance of adhering to HIPAA compliance regulations when sharing Personal Health Information (PHI) with tracking technology vendors. It clarifies that PHI includes data such as IP addresses and geolocation, even on sites without logins or specific treatment/billing information. The update eliminates ambiguity around scenarios where data may be collected and deleted afterward or where user consent is obtained through website pop-ups. All tracking technology vendors must sign a Business Associate Agreement (BAA) to ensure HIPAA compliance, or organizations can work with Customer Data Platforms (CDPs) that will establish BAAs with vendors. Without a BAA, disclosing PHI without explicit HIPAA-compliant authorization from individuals is prohibited, and merely agreeing to website tracking cookies is insufficient. The update serves as a reminder for organizations to upgrade to modern HIPAA-compliant technology, such as BAA-signed web analytics and CDPs, to avoid potential fines for non-compliance. If you haven’t already, this reaffirms the need for high-quality partnerships with agencies who have HIPAA at the top of mind.