Skip to Content
Client Payment

Events In the News

OCR’s Online Tracking Technology Bulletin: AHA Lawsuit Scores a Win; HHS Withdraws Appeal

on Tuesday, 3 September 2024 in Health Law Alert: Erin E. Busch, Editor

The American Hospital Association (“AHA”) and a group of hospitals scored a big win recently in the U.S. District Court for the Northern District of Texas in the case of AHA, et. al v. Becerra, et. al. by convincing the court that OCR exceeded its authority by imposing new legal obligations on covered entities who gather information from individuals who visit those entities’ web pages.

The Guidance.  In December 2022, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published guidance stating that covered entities are not permitted to use online tracking technologies in a manner that would result in impermissible disclosures of protected health information (“PHI”) to third parties.  In addition, to many in the health care industry the guidance seemed to expand the definition of individually identifiable health information (“IIHI”), of which PHI is a subset, by providing examples of actions that trigger obligations under the Health Information Portability and Accountability Act (“HIPAA”) including the example of disclosing the internet protocol (“IP”) address of an individual that visits an unauthenticated web page that contains health care information to an entity that is not a business associate of the health care provider.  This guidance caused immediate concern in the industry, as almost all healthcare provider websites use third-party tools, especially from Google and Meta, that use ad tracking technology such as cookies and pixels to gather information  such as IP addresses from visitors to public webpages.

The OCR Bulletin expressly stated that these tracking technologies could lead to HIPAA violations, even on unauthenticated pages that did not require anyone to log in, if the third party was not a business associate of the covered entity. The Bulletin expressed the position of OCR that information collected from visitors on a public website that contains health-related information “is indicative that the individual has received or will receive health care services or benefits from the covered entity.” 

The Lawsuit.  On November 2, 2023, the AHA and several hospitals sued HHS OCR in a federal court in Texas.  In its complaint, the AHA challenged OCR’s enforcement of the Bulletin.  Specifically, the AHA argued that the Bulletin exceeded HHS’s authority under HIPAA.  The complaint also detailed concerns over OCR’s alleged circumvention of the administrative notice and rulemaking process. Interestingly, the complaint noted that HHS’s guidance was not even followed by certain webpages for various agencies and arms of the federal government.  While the lawsuit was still in the early stages, OCR revised the Bulletin and clarified its position on the use of tracking technologies with what the revised Bulletin referred to as a “Proscribed Combination” of information that would trigger a violation (IP address and an unauthenticated webpage relating to health conditions or providers) and a discussion of the burden on covered entities to determine a user’s intent in visiting the webpage before disclosing IP addresses. The revised Bulletin did nothing to alleviate the numerous underlying concerns that were raised by covered entities.

On June 24, 2024, the court held that OCR exceeded its authority in taking the position that HIPAA obligations attached when an online tracking technology merely connects an IP address with a visit to an unauthenticated public website addressing specific health conditions or healthcare providers. The Court declared that portion of the Bulletin unlawful, and vacated it.  The Court concluded that not only did the Bulletin present new legal obligations on covered entities, but that the Proscribed Combination falls outside the statutory definition of IIHI because it fails both the “relates to” and “identifies” prongs of the definition.  The court noted that “even if an [unauthenticated web page’s] metadata could identify a particular individual ‘that information cannot become IIHI based solely on the visitors’ subjective motive for visiting the page.” The court also found that the information fails the identifies prong because, at most, there is an inference of identification, and inference is not enough.

What’s Next? On August 29, 2024, HHS officially withdrew its appeal of the case so the Texas court decision is now final.  Nonetheless, covered entities should continue to monitor uses of online tracking technologies, especially on pages that require user authentication or password access or where the covered entity is gathering information regarding the user’s intent in visiting the page. They should also review online privacy policies to ensure that patients are given adequate notice of the non-PHI collected through the websites.  Even though OCR believes that the guidance merely reminded covered entities of their existing obligations under HIPAA, it is unlikely that OCR will try to bring an enforcement action or assess penalties against covered entities for the kind of conduct the guidance sought to regulate.  However, covered entities should review OCR’s guidance for the remaining provisions that are still in effect and ensure that online tracking technology vendors that collect PHI have signed business associate agreements.  The federal government continues to be concerned about the online collection of data related to individuals’ health so you can expect online tracking technologies will remain an area of increased scrutiny and oversight.

Vickie B. Ahlers
Kira K. Strandquest
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design