On June 20, a federal judge in Texas sided with the American Hospital Association in its lawsuit against the Department of Health and Human Services' (HHS') updated guidance on the use of tracking technologies. Andrew Mahler, Vice President, Consulting Services, Privacy & Compliance, Clearwater, speaks with Carolyn V. Metnick, Partner, Sheppard Mullin Richter & Hampton LLP, about the key takeaways from American Hospital Assn. v. Becerra and how health care providers and technology vendors can navigate the regulatory landscape after this ruling. Carolyn recently wrote an article for AHLA's Health Law Weekly about HHS' guidance. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Transcipt
Speaker 1: 0:14
Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And the tech enabled twenty four seven three hundred and sixty five security operation center with managed threat detection and response capabilities . For more information, visit clearwater security.com.
Speaker 2: 1:02
Hi , good morning. Good afternoon, everyone. Uh, this is Andrew Mahler . I am the Vice President , um, of clearwater's Privacy and Compliance Services team. Um, I'm here , uh, with , uh, Carolyn Metec , a partner , uh, at the law firm, shepherd Mullen, and a member of the firm's healthcare privacy and cybersecurity team. And we're here to talk a bit about , uh, some of the updates around tracking technology and , uh, and the recent , uh, ruling , uh, from Texas. Carolyn , uh, welcome this morning.
Speaker 1: 1:31
Thank you, Andrew. It's a pleasure to be here .
Speaker 2: 1:34
Great . It's great. Great to have you. So I really happy to be here talking through this. Try to make some sense of the ruling and, and , uh, next steps for , uh, for our clients, you know, healthcare organizations as well as, as attorneys that are, that are working with them. So, just maybe a little background. Um, you know, I know earlier this year, lots of discussions around , uh, around OCR updating , uh, its guidance on the use of tracking tech. And I think the general consensus was there wasn't , uh, a whole lot , uh, of clarity that was provided in the updated guidance , uh, around when, you know, online tracking technologies result in, in an impermissible , uh, u user disclosure of PHI, which, you know, in violation of hipaa. And then, you know, earlier this summer, I think June 20th , uh, of this year , uh, a federal judge , um, sided with the American Hospital Association who had brought a lawsuit , uh, several months ago against HHS , uh, around the tracking technology guidance. And that, that, of course, you know , that case of course, centered on, on the guidance, whether or not it was, it was lawful and, and , uh, and , uh, and so forth. So it's really great to talk with you and, and I wonder, you know, besides just that brief, you know, summary that, that I gave, that probably wasn't too helpful to everybody. Um, Carolyn, you wanna give a little bit more background about this case and, and why the American Hospital Association felt , uh, felt compelled to , uh, to sue a HHS?
Speaker 3: 3:06
Sure. Thanks Andrew. Um, so, you know, as you mentioned, the American Hospital Association, along with the Texas Hospital Association, the Texas Health Resources and United Regional Healthcare System , filed this lawsuit in November of 2023 against the directors of HHS and OCR in their official capacities. And the lawsuit alleged in part that H-H-S-O-C-R, that they exceeded their authority in expanding the definition of individually identifiable health information, what we refer to as IIHI under HIPAA without following the appropriate rulemaking process. Um, and , and that, you know, was through the issuance of their December, 2222 guidance. So basically, you know, the plaintiffs were saying they didn't follow the rulemaking process in issuing this guidance, which had a significant impact on, you know, HIPAA regulated entities, as you well know , um, because we both work with these entities regularly. Um, and so the plaintiffs claimed that it was adopted as purported sub-regulatory guidance, but really operated as a change to the rule of law with this significant impact on the HIPAA regulated entities. And the plaintiffs argued that the OCR R'S position, you know, as expressed through this guidance, was that, you know, one that an IP address and two, a visit to an unauthenticated website webpage that addresses a specific health condition or healthcare provider that this combination of information , um, you know, that it really shouldn't be. IIHI, and they refer to this as the prescribed combination. That term is used in the, the ju in the court ruling. And it's also used in, you know, the , the complaints the plaintiffs argued that, that, you know, that that change there, the definition of I-H-A-I-I-H-I was problematic. Um, and they argued that the prescribed combination, again, this IP address plus a visit to an unauthenticated webpage that potentially addresses a specific health condition or provider that this prescribed combination does not constitute IIHI, because there's no reasonable basis that it could be used to identify the individual and the person's visit to a webpage may not relate to health, healthcare, or payment , um, which would be required to make it, you know, PHI as you know, I mean, we visit webpage, I certainly, I'm sure you do too, visit websites of healthcare providers regularly because I'm doing client work and I wanna learn more about the client, right? Not because I'm looking to, to obtain healthcare services. It's just kind of part of my work. And it would be, you know, it would be unreasonable to think that I'm a patient. Um, so the plaintiffs argued that the proposed combination provides no reasonable basis for a HIPAA regulated entity to make a determination as the purpose of the website, which would be required to make it PHI. And then finally, they also argued that, and again, I alluded to this at the beginning, that the guidance violates HH S's authority , um, under the First Amendment, but that it also violated the Administrative Procedure Act because the proper rulemaking process, you know, which requires proposed rules and comments that that was not followed.
Speaker 2: 6:38
Yeah. Thanks. Thanks, Carolyn. So really, there was a lot, you know, a lot alleged and , um, and, you know, I, I thought the, the ruling itself, I mean, I , of course, the filings were, were very interesting. Uh, ruling itself was also an interesting read. Um, and, you know, I think those of us who, who read it, I mean, you sort of, you only have to get to the first sentence to sort of have a sense of, of some of the, of the judge's , uh, approach and, and maybe some of, some of his snarkiness a bit. Um, you know, that first sentence, just reading verbatim here , uh, Congress passed the Health Information Portability and Accountability Act in 96 because health information needed more protections and the world needed more acronyms , um, (laugh) (laugh) . So you sort of , you kind of see that (laugh) , you sort of see his, his perspective coming, you know, right, right out the door. Um, so we, we know, you know, there was the judge ultimately vacated this c can you give us, you know, an overview of some of the key points that , um, you know, you've already sort of talked through the, the , some of the allegations and, and the, the American Hospital Association's perspective. But, you know, c can you give us a sense of some of the, the points that this , uh, judge , um, really, you know, keyed in on?
Speaker 3: 7:55
Yeah. Um , happy to, and, and I agree. I really enjoyed reading the opinion. It was well written and it was entertaining , um, and thoughtful. Like, I mean, you could tell that there was, that a lot of work was put into it. I mean, setting aside, you know, the , whether you we agree with it or not, or write the implications, I just thought it was a really well-written opinion. Um , so yes, the court's ruling it came down, you know, June 20th, and it provides that the bulletin even as revised imposes new obligations because of the proposed combination. And the court addressed the revised guidance, which, you know, as you mentioned, kind of , um, it , it , it , it , it came down before, well, you didn't mention this, but it, we should note that it came down before the defendant's brief was due, which is interesting. And it softened language suggesting that it was not meant to bind the public, and that the information can become IIHI, depending on the person's reason for visiting the authenticated page. Um, so it did, you know, address the revised guidance. Um, but the court found that the proposed combination is not IIHI, which is what was asked of it. Um, the court also found that HHS did not have authority to promulgate the proposed combination, which, you know, that was also requested by the plaintiffs. Um, the court noted that PHI must relate to an individual's past, present, or future physical or mental health condition, receipt of healthcare payment for healthcare , and identify the person or provide a reasonable basis to identify the person. And the court said that information must satisfy the relates to clause and the identifies clause, and that the proposed combination fails both. And the court really kind of , um, drilled down on the fact that information cannot become IHI based solely on a visitor's subjective motive for visiting the site. Which again, a a provider or a HIPAA regulated entity cannot , is not in a position to know the reason for a visitor visiting its website, right. Whether it's for work purposes or just it's, it's subjective. Um, and the court appropriately noted that.
Speaker 2: 10:16
Yeah, I thought it was interesting. Um, uh, judge Pittman gives, gives an example of, of a dropdown box and, and he says something like, you know, if, if a covered entity greets, you know, an online visitor with a dropdown box where you can indicate, you know, why you're visiting the page, you know, maybe that would be, you know, a , a sort of a permitted , um, you know, permitted language and guidance or, or , um, a permitted maybe responsibility of around enforcement for OCR. But , um, I , you know, I thought that was an interesting example. I don't know any organizations that are, that have, that have been doing that or are doing that. But , um, I think back to, to your point and, and his point, it's, you know, it's, it's one thing to to say is, you know, can PHI be disclosed to tracking technology, you know, vendors? Um, but it's really a separate thing to say, you know, what is PHI, you know, as collected by these, these sites and, and online tools. Um , so I thought that was an interesting, I I don't know if you have any, you know , any experience or thoughts with, with a subjective dropdown box, but thought that was an interesting example.
Speaker 3: 11:32
Yeah, it isn't . I mean, to the extent there's a dropdown box and somebody is saying that I'm using, I'm accessing the website to look for a healthcare provider, then, you know, I think the OCR would have a stronger position. Mm-Hmm. (affirmative) , um, right, because it's somebody who's accessing the site looking for healthcare. So, and I think that's a good example.
Speaker 2: 11:53
Yeah, it was, it was an interesting one. So we've, we've been through a , a good bit of turmoil over the past year, year and a half or so around tracking tech and, and, you know, the evolution of this conversation, you know, kind of went from , um, you know, informa , you know, information that was maybe being , uh, disclosed or used during the, the COVID pandemic and then going into the Dobbs decision and, and some of the concerns about reproductive healthcare and tracking. And then, you know, we had the , um, the markup and, and a , a number of other , uh, you know, organizations, news organizations really digging into, you know, how tracking tech was being used by certain , uh, healthcare entities, and obviously caused a lot of concern and some anxiety and, and maybe even some panic , um, as people and organizations were started to take all the stuff off their site and stand up governance committees and, and try to figure out exactly, you know, how and where tracking tech was, was permitted. Um, you know, we even had some clients who , uh, who decided, you know, they're not gonna enter into any agreements with tracking technology vendors that won't sign a business associate agreement, for example. And so we had a lot of organizational process changes that have happened. Um, just interested to hear from you, you know, how do you feel like this decision , uh, affects healthcare organizations that are using track and, and, you know, maybe can you give some examples of , of what, you know, still could be a violation and, and might, you know, fit the, the standard that , uh, that Judge Pittman has has articulated?
Speaker 3: 13:37
Yeah, so I mean, certainly the , the ruling doesn't change anything. The lawsuit doesn't, it didn't change anything about authenticated pages. So information collected on authenticated pages, right, where there's a login or a portal , um, presumably accessed by a member or patient that's PHI and entities that use tracking technologies on authenticated pages should ensure that they have BAAs in place with any third party vendor that's collecting or accessing the PHI on these pages or behind portals. Um, and the OCR is also noted that information collected on a HIPAA regulated entity mobile app is generally PHIA HIPAA regulated entity such as a health system that makes a mobile app available to users , um, needs to comply with HIPAA and ensure that it has bas in place with any tracking technology vendor that exists on the application , um, or, or to not use a third party tracking technology. Um, and then apps that are not provided by HIPAA regulated entities are typically not regulated by hipaa, but other laws may apply too , which is an important consideration for organizations generally. For example, the FDC ACT and the FTCs help breach notification rule may apply, and then there are whole host of other state laws that could be implicated.
Speaker 2: 15:01
Yeah, it, it's, I mean, I, I, I agree. I mean, I think there was a lot, there was, you know, even though there was confusion and anxiety around, you know , this conversation , um, I, I do think the majority of, of attorneys and compliance officers and privacy officers and security officers that I spoke with, I , I think there was a lot of , um, I mean, I don't know if it was unanimous, but certainly a lot of agreement that , um, you know, sure if, if you've got tracking technology, you know, on an authenticated , uh, portion of a site or on an authenticated site or an application, you know, that that seems, you know, like it fits squarely in the realm of, of PHI , um, that's, that's potentially being used in disclosed, and so we need a b AA or we need an authorization. Um, you know, do , do you know, in terms of just this ruling and I guess the overall conversation, have you seen , um, organizations that have been any, you know , more willing or less willing to, to put tracking tech and, and code on authenticated sites?
Speaker 3: 16:11
Yeah, I guess, you know, the , in light of the rule , the ruling kind of takes some pressure off HIPAA regulated entities , um, with respect to HIPAA compliance and the use of technologies on, on authenticated pages on , so I , I think there's less pressure there. The updated guidance made it clear that the OCR is prioritizing the security rule compliance and its investigations of tracking technology uses, and frankly, that it's investigating. So, you know, the work is still continuing , um, at least with respect to authenticated pages and HIPAA regulated entities and, and, you know, they should continue to investigate their use and work with legal counsel. And in my experience, many of these entities just don't have a handle on what technologies they are using and where, I don't know if that's been your experience as well, but you know, I ask them or I tell them what, what I'm able to see, you know, based on software that we have, and sometimes it's a surprise, so it , right. And these questions about tracking technologies are also increasingly common, becoming increasingly common in due diligence. Um, and given how easy it is for the public to glean the tracking technologies on a company's website, there's, there's still, you know, plain , there's still opportunities for plaintiff's attorneys under other laws, right? Under state other federal laws and state laws. So , um, I think HIPAA regulated entities should ensure that they're aware of what technologies they use, if any, and where, and ensure that if they have them on authenticated sites, that they're HIPAA compliant, and then they should evaluate their use of tracking technologies on unauthenticated sites to ensure that they comply with state laws and, and, and other federal laws. Um, and, and finally, if an entity is making claims and it's privacy statements about the information at collects , and that's not accurate, that's problematic. So there are all sorts of other risks. Um, and I think, you know, the , the work continues, although there is, there is less pressure for HIPAA regulated entities with respect to the unauthenticated sites in light of the guidance. Yeah,
Speaker 2: 18:21
That's, that's what we're seeing too. Um, you know, on on more of the consulting and, and kind of advisory side of things , um, and I think you and I were sort of touching on this when we were talking about tracking technology earlier this summer, but I, I agree that there, you know, there are a lot of opportunities for tracking technology to be embedded in different, you know, different sites , um, you know, different websites, different applications. And what I tend to see is that organizations generally have a good sense of , uh, you know, at least at this point, you know, having gone through what we've been through the past, you know, year and a half or so, you know , they have a good sense of where tracking's been enabled , um, on newer sites. But there's, there's also a lot of legacy sites and, and , and sites that, you know, may not even be actively managed by the organization that may still be out there. Um, yeah, and one of the examples that I sort of think about is, you know, when you have a, a complex organization may be doing clinical trials and, and maybe, you know, it's a, it's a full covered entity. Um, you've got clinical trials along with treatment and care and, and as part of maybe a research protocol or part of a, of an initiative, there may be a, you know, not a traditional patient portal, but there may be a, a sort of signup sheet or even a Google form or something where people are going in and they're filling out information about them to, to participate in a clinical trial that, that, you know, of course may involve treatment and care and may involve , uh, their information, you know, being used as part of a a a a medical , uh, you know, medical record used to , to, you know, make treatment decisions about them. And so, you know, things like that, that, that may, you know, still be out there. Um, we may not have, you know, our, our cans completely around , uh, those old sites. You know, we're really encouraging , uh, organizations and our, our clients and others to, to think thoughtfully about this because it's, I mean, I think to your point, there's still risk here. I mean, I think the temperature has come down, as you said , um, but there is some thoughtfulness that, and some creativity that I think, you know, needs to sort of come behind this conversation to make sure, you know, we're, we're doing everything we can to, to live, you know, within , um, you know, live within the requirements of, of the privacy and security rule .
Speaker 3: 20:49
Yeah . Yep . I agree. Well said.
Speaker 2: 20:52
And, and I guess just sort of thinking just next steps sort of question that I think sort of always ask at the end of these podcasts, you know, where does that leave people? You know, can you, can you give a sense of, you know, where do you think this is going? I mean, I, I, you know, I know we can't speculate on what HH S's position is gonna be on this. Um, I , I haven't heard, I don't know if you have, I haven't heard any rumblings yet about their position , uh, around this ruling. I mean, the guidance is certainly still on the site . Um, we're still seeing data request letters coming from OCR around tracking tax . So yeah, just interested, I mean, I think just kind of building on what you said before , um, you know, what , what sort of recommendations do you have , uh, for, for attorneys and, and for compliance officers and others that are listening about, you know , what's to come and, and how to prepare?
Speaker 3: 21:47
Yeah, I don't know if I have any insight into what's to come, but I , I think, you know, HIPAA compliance remains important. Um, privacy rules , security rule compliance. I mean, make sure your house is in order. Right? I think it , I think I can echo my comments from maybe five minutes ago, which is really HIPAA regulated entities need , need to know what tracking technologies they have, where they are, and really consider the use. Um,
Speaker 2: 22:18
Yes. Yeah, and it's, I mean, I think it, there's, you know, organizations now that maybe didn't exist a couple years ago that exist now that can help, you know, sort of different security tools and applications. Mm-Hmm . (affirmative) and certainly that can help people kind of try to get to the bottom of this and, and understand what the known universe is . So I could , couldn't agree with you more that the ruling, you know, it, I think a lot of people in our field probably agree with it. I think it makes, you know, it makes sense. I think it's a , as you mentioned, it's an interesting kind of a fun, a fun read , um, as well. So encourage folks that, you know, haven't read it yet, go take a look at it. You'll, you'll see a lot of interesting comments. And I think there's, we've got a , you know, a citation to the New Testament in there and it kind of, yes , (laugh) kinda runs, runs the gamut of, of , of information. And then we have at the end sort of a breakdown of, of government overreach and, and it's, it's certainly an interesting, you know , interesting ruling . So , um, thank you so much again, Carolyn, for, for participating and for the, the insights. Um, you know, I, I think it was helpful just to talk with you and, and bounce some these ideas off of you and hopefully it was helpful to listeners as well. Um, and really hope to speak with you again soon. So thanks so much, Carolyn.
Speaker 3: 23:35
Thank you, Andrew.
Speaker 1: 23:44
Thank you, you for listening. If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.