Federal Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision

On June 20, 2024, the United States District Court for the Northern District of Texas issued a ruling in American Hospital Association, et al. v. Xavier Becerra, et al (2024), vacating a central component of a controversial bulletin from the Department of Health and Human Services Office of Civil Rights (HHS OCR) that bans the use of “online tracking technologies,” such as cookies and pixels and other common website advertising and analytics tools, on certain webpages administered by HIPAA-covered entities. 

In its decision, the court held that the agency exceeded its authority by promulgating an expansive definition of individually identifiable health information (IIHI) and redefining what is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA defines IIHI as information that (1) “relates to” an individual’s healthcare and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” The expansion of what the agency considers IIHI had the effect of limiting healthcare organizations’ ability to use third-party online tracking technologies on certain unauthenticated public webpages because the sharing of visitor information with third party vendors providing analytics or marketing tools would be considered an unauthorized disclosure of PHI under HIPAA. 

First issued in December 2022 and later revised in March 2024, the bulletin adopted the sweeping position that IIHI exists where an online data collection technology connects (1) an individual’s IP address with (2) a visit to a covered entity’s unauthenticated public webpage, if the visitor is seeking information related to his or her own health, receipt of healthcare, or payment for healthcare (deemed “Proscribed Combination” in the court’s opinion). The court held that the Proscribed Combination falls outside the statutory definition of IIHI. The Revised Bulletin only added to the confusion surrounding the already controversial HHS OCR policy decision, as it downplayed the forcefulness of the original and clarified it’s not binding law. The Revised Bulletin also hints at a more subjective test for IIHI.  

Unfortunately, the court didn’t agree to permanently block the rule on the Proscribed Combination like the plaintiffs wanted because 1) the plaintiffs failed to show that they had adequately exhausted all other remedies and 2) courts must always consider the “least severe” equitable remedy to resolve a plaintiff’s harm.

According to their site, HHS is evaluating its next steps (i.e whether to appeal the ruling) in light of that order. The plaintiffs in the case are two hospital associations and a regional healthcare system. This court decision comes after in March 2023 HHS OCR and the Federal Trade Commission (FTC) issued a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” associated with the use of online tracking technologies integrated into their websites and mobile apps.

Implications of the Court Decision

While this legal decision currently limits the enforceability of HHS OCR’s online tracking guidance, caution for agencies and their clients is still advised. The bulletin could still be revised, this ruling could be challenged and overturned, the HHS OCR could still bring enforcement actions in other jurisdictions advancing their interpretation of PHI, and other regulations like Section 5 of the FTC Act, and state privacy laws (particularly those with health specific provisions in CT, WA, MD, and NV) could still apply.

Currently, HHS OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to electronic protected health information (ePHI) when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI.

Background

In the December 2022 bulletin, HHS OCR concluded that IIHI could be collected through unauthenticated webpages even if (1) the individual does not have an existing relationship with the regulated entity and (2) the information collected does not include specific treatment or billing information. HHS OCR guidance declared that a regulated entity’s collection of an IP address or geographic location data alone, without any additional information, would be sufficient to qualify as IIHI.  HHS OCR maintained that the mere connection of an individual to the regulated entity through public-facing webpages would be a sufficient indication that the individual has received or will receive health services or benefits from the regulated entity, and thus relates to the individual’s past, present, or future health, healthcare, or payment for healthcare (collectively, “health”).  Listing out several examples of actions that would trigger HIPAA obligations as a result of a covered entity collecting IIHI, the December 2022 guidance included a scenario where a covered entity connects an individual’s IP address with a visit to the covered entity’s unauthenticated public webpage that addresses specific health conditions or healthcare providers. The bulletin also had the sweeping effect of transforming many adtech services into business associates subject to HIPAA.

However, in its Revised Bulletin, the HHS OCR reinterpreted its thinking declaring with respect to information collected from a visitor on a covered entity’s webpage that is accessible without logging in (unauthenticated webpage), the updated guidance states, “do not result in a disclosure of PHI to tracking technology vendor if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.” As an example, the Revised Bulletin offers that a visitor to a hospital’s public webpage for job postings or visitor hours does not disclose IIHI, so HIPAA would not apply. It suggests information could be considered IIHI based on an unauthenticated visitor’s possible healthcare reason for visiting a website, even though there’s no way to know their intended purpose with certainty.  In its thinking, the OCR maintained that a regulated entity does not have to have an existing relationship with the person who visits the site and that none of the data collected needs to include specific treatment or billing information.

Impact of SCOTUS Decision Ending Chevron Deference

Since the HHS OCR bulletin included a clearly novel reinterpretation of existing HIPAA statue, the U.S. Supreme Court’s recent decision to strike down Chevron deference could impact future litigation on this issue and other similar regulations important to healthcare marketers, such as the new FTC Health Breach Notification Rule. The SCOTUS decision will undoubtedly impact lower courts’ handling of challenges to agency action, regulated industry, and federal rulemaking. Government agencies are likely to lose more often in challenges to agency rulemakings and other agency actions previously protected by Chevron, and the death of Chevron will mean greater uncertainty for regulated entities. 

Want to learn more about the legal decision impacting the HHS OCR guidance bulletin ? Connect with Alison Pepper, 4As EVP of Government Relations and Sustainability.