On June 20, 2024, the United States District Court for the Northern District of Texas ordered the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to vacate its guidance that had restricted HIPAA-covered entities’ use of third party online tracking technologies, such as common website advertising and analytics tools. In vacating the guidance, the court held that the agency exceeded its authority by redefining what is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While this order is a defeat for OCR’s guidance on online tracking technologies, regulated companies should react cautiously. The order could be appealed and potentially reversed, OCR could still bring enforcement actions in other circuits advancing their interpretation of PHI, and the Federal Trade Commission’s (FTC’s) laws and state privacy laws could still apply.

Case Summary

The American Hospital Association and other healthcare organizations (the plaintiffs) challenged a December 2022 bulletin issued by OCR (the Original Bulletin) that had attempted to expand the types of information governed by HIPAA in connection with healthcare providers’ unauthenticated public websites. Specifically, the Original Bulletin added extra information to the definition of individually identifiable health information (IIHI)—a subset of health information. The Original Bulletin provided several examples of actions that would trigger HIPAA obligations as a result of a covered entity collecting IIHI, including where a covered entity connects an individual’s IP address with a visit to the covered entity’s unauthenticated public webpage that addresses specific health conditions or healthcare providers. The Texas district court termed this combining of data a “Proscribed Combination.” The expansion of IIHI had the effect of limiting healthcare organizations’ ability to use third-party online tracking technologies, such as common website analytics tools, on certain unauthenticated public webpages because the sharing of visitor information with third party vendors providing such tools would constitute an unauthorized disclosure of PHI under HIPAA.

Following the issue of its Original Bulletin, on July 20, 2023, OCR and the FTC sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” associated with the use of online tracking technologies integrated into their websites and mobile apps. The FTC also reminded companies not covered by HIPAA of their responsibility to protect against the unauthorized disclosure of personal health information, highlighting its recent enforcement actions against GoodRx and BetterHelp.

Facing new obligations under the Original Bulletin, the plaintiffs sued to stop enforcement of its rule against the Proscribed Combination. Both parties moved for summary judgment. On March 18, 2024, days before its brief was due, OCR issued a revised bulletin (the Revised Bulletin). The Revised Bulletin retained its general rule against the Proscribed Combination but noted that it was not “meant to bind the public in any way” and that it did “not have the force and effect of law.” The Revised Bulletin also suggested that user information collected on unauthenticated public webpages can become IHII if the individual’s reason for visiting such webpages relates to their personal healthcare.

Court’s Decision and Reasoning

The court held that OCR’s rule restricting the Proscribed Combination (as set forth in the Revised Bulletin) was unlawful because OCR exceeded its authority under HIPAA and ordered that the rule be vacated. The court reasoned that OCR’s Revised Bulletin imposed new legal obligations on regulated entities and OCR lacked the authority to promulgate the Bulletins. In particular, the court held that the Proscribed Combination falls outside the statutory definition of IIHI. 

Nevertheless, the court declined to grant the plaintiffs’ request to permanently enjoin OCR’s enforcement of the rule restricting the Proscribed Combination. Instead, it held that vacating OCR’s guidance was the more appropriate equitable remedy in this case because 1) the plaintiffs failed to show that they had adequately exhausted all other remedies and 2) courts must always consider the “least severe” equitable remedy to resolve a plaintiff’s harm.

Key Takeaways and Possible Next Steps

While this order is a defeat for OCR, the limited remedy from the court muddies the waters about what constitutes IIHI (and PHI) under HIPAA.

• Future OCR Actions Unclear. While the court vacated OCR’s guidance and held that the Proscribed Combination fell outside the statutory definition of IIHI, it also denied the plaintiffs’ request for a permanent injunction. This means that OCR is still able to bring a lawsuit attempting to enforce its interpretation of IIHI in other circuits, notwithstanding the order. It should be noted, however, that OCR has not yet filed any such enforcement actions since issuing the Original or Revised Bulletin.
• Decision Could Be Appealed or the Bulletin Revised. OCR could appeal this order or revise the Revised Bulletin. 
• FTC Act and State Privacy Laws Still Apply. Even if the Texas district court’s order is upheld, Section 5 of the FTC Act, the FTC’s recently revised Health Breach Notification Rule (HBNR), and state privacy laws may still restrict how regulated companies can collect, use, and disclose the personal information of visitors to unauthenticated public webpages.
  • Under Section 5 of the FTC Act and the HBNR, the FTC has recently undertaken enforcement actions against GoodRx, BetterHelp, and Monument and Cerebral for disclosing sensitive health information to third parties.
  • State privacy laws also regulate the collection of sensitive personal information, which may include the collection of health information through unauthenticated public webpages, for example, Washington's My Health My Data Act.