On June 20, 2024, a federal judge for the Northern District of
Texas ruled that the U.S. Department of Health and Human
Services' Office for Civil Rights (OCR) overstepped its
authority under the Health Insurance Portability and Accountability
Act (HIPAA) in determining that the use of certain online tracking
technologies could violate the HIPAA privacy regulations (the
Privacy Rule). In his detailed (and entertaining) opinion, U.S.
District Judge Mark T. Pittman found that OCR erred in declaring,
in guidance under the Privacy Rule (the Guidance), that information
collected during a visit to a HIPAA-regulated entities'
unauthenticated public webpages (UPWs)1 is
"individually identifiable health information" (IIHI)
under the HIPAA Privacy Rule. The judge reasoned that, even when
such information is combined with the IP address of the website
visitor, that combination of information does not constitute IIHI
as defined in HIPAA. As a result, the judge vacated the portion of OCR's Guidance that
treats that combination of information (the Proscribed Combination)
as IIHI subject to HIPAA. The judge did not, however, vacate any
other portion of the Guidance.
Judge Pittman's decision is a significant indication of the
limits that the law may place on the scope of terms such as
"individually identifiable information," "personally
identifiable information," or "personal information"
in relation to data collected from and concerning online activity.
Beyond the HIPAA Privacy Rule, these terms have great significance
for requirements and liability under a variety of privacy and data
security laws. Judge Pittman's reasoning (described further
below) may resonate with other courts that are grappling with
claims against numerous types of defendants regarding the
collection and sharing of online tracking information, including
under anti-wiretapping and other privacy-related statutes.
Background
The case before Judge Pittman was brought by the American
Hospital Association, the Texas Hospital Association, Texas Health
Resources, and the United Regional Health Care System (Plaintiffs)
challenging OCR's authority to issue the Guidance and to
enforce the Privacy Rule based on the Guidance. Such enforcement
was a cognizable threat because six months after issuing the
Guidance in its initial form in December 2022 (the Original Bulletin), OCR and
the Federal Trade Commission sent a joint letter to approximately 130 hospitals,
telehealth providers, health app developers, and other companies in
the health care industry to warn of the "serious privacy and
security risks" associated with the collection of information
from online tracking technologies integrated into their websites
and mobile apps.
In the Original Bulletin, OCR warned that entities regulated by
HIPAA would violate the Privacy Rule if they were to disclose
information collected by online tracking tools on health-related
UPWs to third parties if such disclosure were not authorized by the
Privacy Rule for IIHI — for example, if they were to disclose
UPW visit information for marketing purposes without an
authorization from the UPW visitor. As the Plaintiffs explained in
their complaint: "OCR took the position that when an online
technology connects (1) an individual's IP address with (2) a
visit to an Unauthenticated Public Webpage that addresses specific
health conditions or health care providers, that combination of
information (the Proscribed Combination) is subject to restrictions
on use and disclosure under HIPAA."
Although the arguments in the case involved a number of procedural
and jurisdictional issues, the gist of Plaintiffs' claims was
that the Guidance's characterization of the "Proscribed
Combination" as "IIHI" was at odds both with the
definition of that term in HIPAA itself (42 U.S.C. § 1320d)
and with OCR's own definition of the term in the Privacy Rule
(45 C.F.R. § 160.103), and thus void of legal authority.
Case Proceedings; Court Decision and Legal Reasoning
Following initial briefing before Judge Pittman, both parties
moved for summary judgment. Mere days before the brief in support
of OCR's motion was due, on March 18, 2024, OCR issued a
revised version of the Guidance (the Revised Bulletin) to recharacterize/clarify
its legal status. As stated in the Revised Bulletin, the Guidance
was not "meant to bind the public in any way" and was not
intended to "have the force and effect of law." Thus, OCR
took the position that the court lacked jurisdiction because the
Bulletin did not constitute a "final agency action"
subject to judicial review.
The Revised Bulletin also included certain modifications from the
Original Bulletin that would appear responsive to the
Plaintiffs' challenge to OCR's characterization of the
Proscribed Combination as IIHI. The Plaintiffs had argued that,
even assuming that an IP address of a visitor to a health-related
webpage could reasonably be associated with a particular
individual, the Proscribed Combination could not indicate that
individual visited the page in connection with his or her own
health, health care, or payment for health care. "For example,
the visit may have occurred due to academic or journalistic
research on a health condition or area provider capacity, general
curiosity about something in the news, or just an accidental click
on a web link." Under HIPAA, however, IIHI is information
identifiable to an individual that relates to that
individual's health. Therefore, the Plaintiffs argued,
OCR's categorical characterization of the Proscribed
Combination as IIHI lacked factual and legal grounds.
In the Revised Bulletin, OCR newly suggested that user information
collected on UPWs can become IHII if the
individual's reason for visiting such webpages relates to their
personal health care. Judge Pittman found this revision
unpersuasive for purposes of OCR's defense of the Guidance. As
he reasoned, by adding a subjective analysis component related to
the "purpose and intent" of a website visitor, the
Revised Bulletin offered no way for regulated entities to determine
whether information collected by tracking tools was IIHI because
there is no practical way to determine the purpose or intent of an
unauthenticated website visitor and whether such visitor's UPW
use related to the individual's health care.
"In theory," Judge Pittman reasoned, "a third
party could connect the dots between a person's IP address and
the searches the individual performed: if an IP address corresponds
to Person A, and Person A looks up the symptoms of Condition B, one
might conclude Person A has Condition B." However, even if
information collected through a UPW's tracking technologies
could identify a particular individual, "[t]hat information
cannot become IIHI based solely on the visitors' subjective
motive for visiting the page." Rather, to fall within the
definition of IIHI, "there must be at least a reasonable basis
to believe that the Proscribed Combination could identify
'the individual' whose health, healthcare, or payment
for healthcare actually 'relates to' the webpage
visit. But there is no basis to believe that, and the Bulletin
provides none."
Therefore, the court held that the Proscribed Combination falls
outside the statutory definition of IIHI.
However, the court denied the Plaintiffs' request for an
injunction to permanently block OCR's enforcement of the
Guidance, reasoning that vacating only the relevant portion of the
Guidance was the most appropriate form of redress because courts
must always consider the "least severe" equitable remedy
to resolve a plaintiff's injury. In addition, the court found
that the Plaintiffs had failed to show that they adequately
exhausted all other available remedies.
Key Points and Future Considerations
- Impact on HIPAA Privacy Rule Enforcement — While the court's ruling in this case presents itself as a "win" for HIPAA-regulated entities, the Guidance remains intact insofar as it applies to the use and disclosure of information collected from tracking technologies on authenticated portions of a website, and such use and disclosure therefore still entails risk. HIPAA-regulated entities should continue to monitor and audit the types of information collected through tracking technologies on their websites and online platforms, including patient portals or any other portion of a webpage that requires authenticated access, and scrutinize any related disclosures of such information to vendors or other third parties used for implementing website tracking technologies.
- Impact on Class Actions Against Providers for Information-Collection and Disclosure Through Tracking Technologies — Whether this decision will have any impact on lawsuits filed or the litigation posture of any current lawsuits against health care providers is unclear. There is no private right of action under HIPAA, and the court's reasoning in this case may or may not influence legal interpretations of "individually identifiable information," "personal information," or similar terms under other laws. The court's reasoning also may or may not influence whether the Proscribed Combination is a violation of other laws, such as state consumer protection laws. Regardless, obtaining consent to collect, use, and disclose information through tracking technologies, even on unauthenticated websites, may reduce litigation risks.
- State Privacy Laws and the Federal Trade Commission (FTC) Act — Also separate from HIPAA, state privacy laws and the FTC's recently revised Health Breach Notification Rule (HBNR) create risk with respect to tracking the visits of individuals to health-related websites. As we have described in previous publications, the FTC has aggressively used its authority, under both the FTC Act and the HBNR, to take enforcement actions against entities such as GoodRx, BetterHelp, Monument, and Cerebral for disclosing to third parties sensitive health information collected online.
- Further Actions by OCR — The limited remedy from the court in this opinion leaves open possible reinterpretations of the Privacy Rule's application to information collected through online tracking technologies. While the court found the Proscribed Combination fell outside the statutory definition of IIHI, it denied the Plaintiffs' request for a permanent injunction, which means OCR may still seek endorsement of its interpretation of the Proscribed Combination as IIHI in other circuits.2 Moreover, OCR could further revise the Guidance or appeal this decision.
Footnotes
1. UPWs are web pages that do not require visitor verification or login credentials.
2. As of the date of this Advisory, OCR has not yet filed any such enforcement actions since issuing the Original or Revised Bulletin.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.