On Thursday, June 20, 2024, a U.S. District Court Judge ruled that the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) overstepped its authority to act when issuing its December 2022 bulletin “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates”. The bulletin, which was updated by HHS as recently as March 2024, was published to inform entities regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) of their obligations under the HIPAA rules as they relate to the use of online tracking technologies on websites and mobile applications. Read on for a refresher on the bulletin and the current state of play after the June 20, 2024 ruling that the guidance was “promulgated in clear excess of HHS’s authority under HIPAA.”
HHS Online Tracking Guidance
As a refresher, the HHS bulletin originally posted in December 2022 stated that individually identifiable health information collected on a regulated entity's authenticated (i.e., a page that requires a user log-in) website or mobile app will qualify as protected health information (“PHI”) and be regulated under HIPAA. HHS took the position that all such data collected via a regulated entity’s website or mobile app is generally PHI even if the subject individual does not have an existing relationship with the entity and even if the data (e.g., IP address) does not include treatment or billing information. HHS explained that when collecting information, a regulated entity “connects” the individual to the regulated entity and thus indicates that the individual will receive or has received health care services from the regulated entity. More surprising, however, was HHS’s position that tracking technology on unauthenticated webpages, like webpages that address specific symptoms or health conditions, or permit individuals to search for doctors or schedule appointments may have access to PHI. Following its logic, HHS noted that "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures."
In March 2024, HHS updated the guidance but did not provide the clarity the industry had hoped for. The updates noted that information entered or selected on unauthenticated pages could be, but is not always, PHI, and provided examples for regulated entities thinking through what might make this distinction. In the updated bulletin, HHS drew a distinction between whether disclosures of PHI are implicated when a student visits a hospital webpage about a specific condition and when a potential patient visits the same unauthenticated webpage. The updates still left things unclear as how regulated entities would be able to determine what a user’s intent was when visiting a publicly available webpage.
June 2024 U.S. District Court Ruling
Regulated entities have been left wondering how to operationalize the HHS guidance. In the meantime, class actions related to pixels and tracking tools have been filed, providers filed HIPAA breach notifications with HHS, the U.S. Federal Trade Commission (“FTC”) took up tracking technologies enforcement, and we have seen some large settlements come out of initial actions.
At the end of 2023, the American Hospital Association (“AHA”), along with the Texas Hospital Association and two health systems, filed a lawsuit in the U.S. District Court in the Northern District of Texas. Dozens of provider and state hospital associations supported the lawsuit. The lawsuit alleged, among other things, that the bulletin amounted to rulemaking without the proper notice and comment period required under law (echoing arguments from HHS copy fees litigation), that HHS expanded the definition of “individually identifiable health information” under HIPAA beyond HHS’s statutory authority, and that health care providers face burdensome requirements in reaching patients and providing quality care if use of trackers is largely prohibited. In addition, the plaintiffs noted that some government sites, including the U.S. Department of Veterans Affairs, use tracking technologies.
On June 20, 2024, U.S. District Judge Mark T. Pittman issued an order in the case, taking the side of the plaintiffs, agreeing that HHS overstepped its legal authority when issuing the guidance, and ordered that the guidance be vacated. In his ruling, Judge Pittman noted that traditional judicial deference to the actions of administrative agencies (typically known as Chevron deference) does not grant HHS “interpretive carte blanche” when crafting its guidance. Holding that metadata from a user’s search of a provider’s public-facing web page does not meet the definition of “individually identifiable health information” under HIPAA, HHS went too far in its interpretation and “to hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them.”
So Now What?
As of now, the HHS tracking technologies guidance has been ruled unlawful, but it remains on the HHS website without amendment as of publication of this alert. If the copy fees litigation is an indication, we can expect HHS to add qualifying language to the guidance as with the Ciox case (see the access guidance with the qualifying language here).
Judge Pittman did not order the plaintiff’s requested permanent injunction (which would have prevented HHS from ever enforcing the guidance again), so we may see updates to the guidance in the coming weeks and new rulemaking down the road. Of course, we also expect an appeal and continued litigation; unfortunately, for regulated entities, there still may be more questions than answers.
Providers should consider implications of this ruling on HIPAA-related efforts and how FTC guidance will play into next steps. Despite this victory, regulated entities should not rush to turn on all tracking technologies on unauthenticated websites without further consideration. Given the current state of play, regulated entities should consider options for affirmative and passive consent along with privacy policy and Notice of Privacy Practices language.
