On June 20, 2024, a Texas federal judge ruled that key portions the guidance promulgated by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on the use of online tracking technologies (the “Guidance”)1 was unlawful and exceeded the scope of HHS OCR's administrative authority.2 The Guidance, which we have summarized in prior Alerts, sought to strictly regulate the use of online tracking technologies under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (“HIPAA”), and has spurred class action litigation, breach notifications and governmental investigations nationwide. The ruling relates solely to the Guidance's introduction of an expanded definition of individually identifiable health information (“IIHI”), which has posed additional and unexpected compliance obligations on HIPAA-regulated entities.
The Guidance Expanded the Definition of IIHI, Creating Compliance Challenges
In relevant part, the Guidance, initially published in December 2022 and updated in March 2024, asserted that “the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a[n] [unauthenticated] webpage addressing specific health conditions or listing health care providers is . . . a sufficient combination of information to constitute IIHI if the visit to the webpage is . . . related to the individual's own health.”3 Importantly, the Guidance noted that such information generally constitutes protected health information (“PHI”) “even if the individual does not have an existing relationship with the regulated entity.”4 The Guidance therefore prohibited HIPAA-regulated entities' disclosure of broad categories of IIHI on unauthenticated webpages through the use of online tracking technologies unless a valid business associate agreement was in place with the tracking technology vendor or, in the alternative, a valid patient authorization was secured.
The Guidance's expanded definition of IIHI thus introduced compliance challenges for HIPAA-regulated entities and created confusion regarding whether information collected on unauthenticated websites in fact constituted IIHI, especially with respect to certain information, which by itself would not meet the traditional definition of PHI under HIPAA. This confusion was compounded by the March 2024 updates, which proposed that the characterization of IIHI was dependent on the website visitor's subjective intent, inscrutable by the HIPAA-regulated entity.
Further, the Guidance triggered numerous class action lawsuits against HIPAA-regulated entities that had shared information collected via embedded online tracking technologies on both unauthenticated and authenticated webpages. Such classes have sought damages against the entities, arguing that the collection and disclosure of such information in this way was in violation of their obligation to maintain such confidential information. Plaintiffs have asserted that they were unaware that their searches or actions on the websites were being tracked and their information was sent to third parties. While many of these lawsuits remain ongoing, some have resulted in multi-million-dollar settlements.5
American Hospital Association et al. Brought Lawsuit Challenging the Legality of the Guidance
In November 2023, the American Hospital Association, along with the Texas Hospital Association, Texas Health Resources and the United Regional Health Care Systems (collectively, “Plaintiffs”) brought suit against the OCR Director and HHS Secretary (collectively, “HHS OCR”) to stop enforcement of the Guidance (the “AHA Lawsuit”). The AHA Lawsuit followed the American Hospital Association's May 2023 attempt to persuade HHS OCR to suspend or amend the Guidance based on input form HIPAA-regulated entities, which was met with silence by HHS OCR.6
In the AHA Lawsuit, Plaintiffs argued that the Guidance was “flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy.” In particular, Plaintiffs asserted that the Guidance was procedurally defective—as it was issued without a notice-and-comment rulemaking— exceeded HHS OCR's statutory and constitutional authority and thus fails to satisfy the requirements for agency rulemaking. At the crux of their argument, Plaintiffs asserted that the Guidance unlawfully expanded the definition of IIHI, “go[ing] well beyond the meaning of what [HIPAA] can bear,” as “the connection between a person's browsing history [on] publicly accessible websites [and] his or her own state of health is too tenuous” to implicate HIPAA.
Numerous hospitals, health systems and state associations showed support for Plaintiffs in the AHA Lawsuit. Such groups also expressed concern that the Guidance was harmful to patients, as it threatened to limit the ability for HIPAA-regulated entities to (i) use website analytics to improve online content and service offerings; (ii) map and use location technologies to ensure visitors' ability to navigate to a particular location as seamlessly as possible; (iii) embed videos, crucial for educational and informational purpose; (iv) counteract medical misinformation; and (v) communicate with and serve the public.7
In defense of the AHA Lawsuit, HHS OCR took the position that, because the Guidance was not a final agency action, it could not be challenged in a court of law.
Federal Judge's Ruling Vacating the Guidance Sets Powerful Precedent and Vindicates HIPAA-Regulated Entity's Use of Online Tracking Technologies in Certain Contexts
In a 31-page ruling, Judge Pittman granted Plaintiffs' motion for declaratory judgment to vacate the Guidance's classification of IIHI, ruling that expanding the classification of IIHI in this way “was . . . in clear excess of HHS's authority under HIPAA,” but rejected Plaintiff's simultaneous request for a permanent injunction. Specifically, Judge Pittman ruled that metadata (e.g., IP address) input by website users into a HIPAA-regulated entity's unauthenticated, publicly facing webpage does not constitute IIHI. Such information neither relates to an individual's health condition, health care or payment for health care, nor does it identify or can it be used to reasonably identify that individual. Judge Pittman reasoned that “[t]o hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them.” Notably, however, the ruling does not vacate the entire Guidance, implying that HHS OCR's characterization that IIHI includes an IP address in combination with activity on an authenticated webpage remains enforceable.
While the ruling is undoubtedly a huge victory for HIPAA-regulated entities that expend significant time, effort and resources to ensure compliance with HIPAA's stringent requirement, it is also instrumental in that it sets a precedent with respect to curtailing executive power. In striking down the Guidance, the ruling also seeks to prevent the compounding of “small executive oversteps,” which can “result[ ] in larger transgressions down the road.” Moreover, the ruling essentially invalidates plaintiffs' claims in any pending and outstanding litigation seeking to recover against HIPAA-regulated entities for the alleged harms resulting from the use of online tracking technologies on unauthenticated webpages.
HIPAA-Regulated Entities Should Remain Diligent about the Type of Information Collected Online
While this regulatory development is promising, a massive amount of litigation is still ongoing across the country related to the topic. As such, HIPAA-regulated entities should remain cautious when determining how and what type of tracking technologies are appropriate to implement.
Footnotes
1. U.S. Dep't Health & Hum. Servs, Off. for Civ. Rights, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, (updated Mar. 18, 2024), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (the “Guidance”).
2. American Hospital Ass'n et al., v. Becerra, et al., (N.D. Tex., June 20, 2024), available at https://assets.law360news.com/1849000/1849987/https-ecf-txnd-uscourts-gov-doc1-177116929174.pdf.
3. The Guidance.
4. Id.
5. See e.g., Steve Alder, Mass General Brigham Settles ‘Cookies Without Consent' Lawsuit for $18.4 Million (Jan. 20, 2022), https://www.hipaajournal.com/mass-general-brigham-settles-cookies-without-consent-lawsuit-for-18-4-million/; Brian Eckert, Aurora Health Agrees To $12.25M Settlement in Tracking Pixel Suit (Aug. 23, 2023), https://milberg.com/news/aurora-health-data-breach-proposed-settlement/; Steve Alder, Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit (Jan. 16, 2024), https://www.hipaajournal.com/novant-health-pixel-privacy-breach-settlement/.
6. AHA Letter to OCR on HIPAA Privacy Rule, Online Tracking Guidance (May 22, 2023), https://www.aha.org/lettercomment/2023-05-22-aha-letter-ocr-hipaa-privacy-rule-online-tracking-guidance.
7. [1]See AHA, Individual Hospitals, State Associations Support AHA Lawsuit and Urge Court to Set Aside OCR Online Tracking Rule (Jan. 16, 2024), https://www.aha.org/news/headline/2024-01-16-individual-hospitals-state-associations-support-aha-lawsuit-and-urge-court-set-aside-ocr-online.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.