On June 20, 2024, a US district court declared that guidance issued by the Office of Civil Rights (OCR) at the US Department of Health and Human (HHS) regarding the use of “online tracking technologies” by HIPAA covered entities was an unlawful agency action. The guidance document, known as “the Bulletin,” was first issued on December 1, 2022, and later clarified on March 18, 2024. Throughout this period, the industry struggled to understand the agency’s position and comply operationally with the Bulletin’s guidance.
In American Hospital Association, et. al v. Becerra, et. al, the American Hospital Association (AHA), joined by several Texas-based organizations, challenged HHS’ authority to issue the Bulletin. In a strongly worded opinion, the US District Court for the Northern District of Texas agreed, holding that HHS exceeded its authority in adopting an overly expansive definition of “individually identifiable health information” (IIHI).
Background
In the Bulletin, OCR posited that IIHI exists if an online data collection technology connects (1) an individual’s IP address with (2) a visit to a covered entity’s unauthenticated public webpage (UPW) addressing specific health conditions or listing healthcare providers (the “Proscribed Combination”). This interpretation effectively imposed new legal obligations on HIPAA covered entities that were using common website technologies and transformed many advertising technology service providers into business associates subject to HIPAA. (For purposes of this post, we will refer to HIPAA covered entities and business associates subject to HIPAA, collectively, as Regulated Entities).
OCR modified the Bulletin in March 2024 in response to objections raised by AHA and others, who argued that the original Bulletin was overly broad and improperly limited the use of tracking technologies essential for patient outreach and education. Although the revised Bulletin provided some clarifications, it failed to address many of the operational concerns raised by the health care industry. (See HHS-OCR Revises its Guidance on Use of Online Tracking Technologies for more information about the Revised Bulletin.)
District Court Analysis
After determining that it had proper jurisdiction—on the grounds that the original and revised Bulletins constituted final agency actions—the district court turned to the substance of the Bulletins, concluding that HHS improperly expanded the definition of IIHI beyond the statute’s clear limits. The court held that the Bulletin’s interpretation of IIHI as including metadata from UPW searches (i.e., the Proscribed Combination) “facially violated” HIPAA’s “unambiguous” definition of IIHI because it failed to meet two conditions of the statutory definition.
- First, the court determined, the Proscribed Combination did not inherently “relate to” an individual’s health, receipt of healthcare, or payment for healthcare in a manner that identities the individual. Why? Because covered entities could not ascertain whether visitors were accessing pages for personal health-related reasons or other, non-health-related purposes (such as academic research).
- Second, the court concluded, the Proscribed Combination could not “identify” a specific individual or provide a “reasonable basis” to believe that the information could be used to identify a specific individual.
While HHS acknowledged that the Proscribed Combination did not, in and of itself, “identify” the individual searcher and their health information, the agency argued that the Proscribed Combination fit within the “reasonable basis” prong of the IIHI definition. The court rejected this argument on the grounds that without knowing a user’s “subjective intent” in performing a query, it would be impossible for a Regulated Entity to know whether the Proscribed Combination actually pertained to the user’s health or condition. To illustrate, the court offered the following example: The fact that “Person A” conducts a query regarding “Condition B” on a UPW does not necessarily mean that “Person A has Condition B.” To require Regulated Entities to essentially guess a website visitor’s subjective intent was deemed unworkable and unlawful.
While granting the plaintiffs’ request for declaratory relief, the court declined to permanently enjoin HHS from enforcing the Proscribed Combination. Instead, the court vacated that portion of the Bulletin related to the Proscribed Combination, bringing relief not only for hospitals and other Regulated Entities under HIPAA, but also to businesses facilitating digital advertising by such entities.
OCR Response
In response to the district court’s order, OCR has appended the following update to the revised Bulletin:
On June 20, 2024, the US District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document . . . Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in ‘circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers’ . . . HHS is evaluating its next steps in light of that order.
Those “next steps,” of course, are likely to be complicated by Loper Bright Enterprises v. Raimondo, the US Supreme Court’s recent decision overturning the long-standing Chevron framework for determining deference to agency interpretation of statutes.
Implications and Takeaways
Following HHS’s issuance of the initial Bulletin and subsequent warnings of the security and privacy concerns arising from online tracking technologies, patients began filing class action lawsuits against medical providers. The underlying complaints included claims for negligence, invasion of privacy, breach of implied contract, and breach of fiduciary duty. The Bulletin has featured prominently in these complaints.1 The district court’s decision is likely to have an impact on this pending litigation. For example, in vacating HHS’s definition of IIHI in the context of tracking technologies, plaintiffs may find it more challenging to establish a legal basis for their HIPAA-related arguments. That said, we anticipate that such litigation will continue, perhaps with a greater emphasis on other legal theories.
The district court’s ruling also underscores the limits of regulatory authority (a point reinforced by Loper) and emphasizes the challenges of applying outdated privacy laws to modern technology, which is quicky evolving. Finally, the court’s decision highlights important considerations for Regulated Entities and providers of online tracking technologies moving forward:
- While the court’s opinion provides that the Proscribed Combination does not create IIHI subject to HIPAA, other federal and state privacy laws may protect this type of information.2 Thus Regulated Entities and providers of online tracking technologies should continue to monitor HHS/OCR, FTC, and state privacy developments in this area.
- Relatedly, healthcare providers and other covered entities may wish to expand their risk management programs to include consideration of their publicly accessible webpages if they have not already done so.
- Finally, covered entities should carefully assess the use of tracking technologies on their websites by entities with access to IIHI, particularly with regard to any password protected portions of their website.
- See, e.g., Class Action Complaint in Doe v. Village MD. ↩︎
- The FTC, for example, has challenged the use of data tracking technologies in certain contexts. In February 2023, the FTC resolved allegations it brought against GoodRx under the Health Breach Notification Rule (HBNR) for failing to notify consumers about unauthorized disclosures of personal health information to third parties, resulting in an order that banned the company from sharing user health data for advertising and imposed a $1.5 million civil penalty. One month later, the FTC issued a proposed order (1) banning the counseling service BetterHelp, Inc. from sharing consumers’ health data for advertising, (2) requiring the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive information to third parties for advertising, and (3) mandating a comprehensive privacy program with strict data-sharing limitations and affirmative consent requirements. Moreover, in May, 2023, the FTC filed a Complaint against Easy Healthcare Corporation, the developer of the fertility app Premom, alleging that the company (1) deceived users by sharing their sensitive personal information with third parties, including two China-based firms, (2) disclosed users’ sensitive health data to certain technology companies, and (3) failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The company was ordered to pay $100,000 in civil penalties and implement a comprehensive privacy and data security program. ↩︎