Healthcare , HIPAA/HITECH , Industry Specific
HHS OCR Drops Appeal of Court's Web Tracker Ruling
Court Said a Part of 2022 HIPAA Guidance Document Exceeded the Agency's AuthorityNearly two years after the Department of Health and Human Services first stirred up controversy by warning healthcare providers that using web tracking tools on public-facing websites potentially violates the HIPAA Privacy Rule, federal regulators appear to ready to drop the fight.
See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI
HHS on Aug. 29 filed a motion to voluntarily dismiss its appeal of a recent Texas federal court decision that found the agency exceeded its authority in issuing the guidance on web trackers in 2022.
HHS had warned HIPAA-regulated entities that it's unlawful to use online tracking tools to capture IP addresses in visits to unauthenticated, public-facing websites containing information about health conditions or medical care providers. The agency had argued that third parties could obtain sensitive personal identifiable information in the tracking data, but the American Hospital Association and other groups sued HHS.
The June 20 ruling in the U.S. District Court for the Northern District of Texas Fort Worth Division says that specific parts of HHS' Office for Civil Rights online tracker guidance were "promulgated in clear excess of HHS's authority under HIPAA."
"As the AHA repeatedly explained to OCR - both before and after OCR forced the AHA to file its lawsuit - this rule was a gross overreach by the federal government, imposed without any input from healthcare providers or the general public," said Chad Golder, general counsel of AHA, said in a statement.
Specifically, the court vacated part of HHS OCR's guidance that warned regulated entities that HIPAA obligations are triggered in circumstances where an online technology connects an individual's IP address with a visit to a provider's unauthenticated public web page.
HHS OCR maintained that tracking technology capturing the IP address of a user's device and matching it with a visit to a web page that addresses specific health conditions or includes a list of healthcare providers "is a sufficient combination of information to constitute individually identifiable health information." The federal judge disagreed.
"The proscribed combination fails to improve current privacy protections while jeopardizing the dissemination of important healthcare information to the masses," the court said.
The Texas court, however, did not rule that all of HHS' HIPAA guidance on web trackers is invalid. The decision focused solely on the combination of IP addresses and related identifiers combined with the intent of the website visitor.
HHS OCR first issued its guidance in December 2022 and then slightly updated it in March 2024 (see: Tracker Backtrack? Feds Revise HIPAA Guidance on Web Tools).
AHA, along with three other organizations, challenged the guidance in November 2023, filing a lawsuit seeking to force HHS to rescind the document (see: AHA Sues Feds Over Privacy Warning About Web Tracker Use).
"The American Hospital Association is pleased that the Office for Civil Rights has decided not to appeal the district court's decision vacating the new rule adopted in its Online Tracking Technologies Bulletin," Golder said. "Now that the bulletin's illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate healthcare information with the communities they serve without the fear of federal civil and criminal penalties."
A Limited But Significant Decision
Privacy attorney Iliana Peters of the law firm Polsinelli - which is not involved in the dispute - said the Texas court's ruling is "extremely limited" and applies only to the collection and disclosure of IP addresses in conjunction with visits to public-facing websites.
"As such, any other activities on such websites involving more than just an IP address, such as appointment scheduling, 'finding a doctor' through the use of mapping tools, translations, analytics, pixels, etc., are still arguably in scope of the HHS OCR HIPAA guidance on these topics," she said.
Being that HHS decided to drop its appeal, "I assume that HHS OCR likely plans to address the limited ruling of the court here in future rule-makings, as necessary," she said.
While the Texas court ruling is limited in terms of addressing a specific provision of HHS OCR's guidance on web trackers, it is still a significant decision, other experts said.
"The court ruled that while HHS OCR might think the enforcement of that rule adopted in guidance is not a big deal, it's actually a big problem for hospitals trying to follow the law - HIPAA," said Chelsea Arnone, director of federal affairs at the College of Healthcare Information Management Executive, an association of healthcare CIOs and CISOs.
"The court agreed with the AHA and the co-plaintiffs and officially stated that the rule is not legal because HHS went beyond the power they were given under the law," she said.
"I don't think this changes anything for our members; they are committed to safeguarding patient privacy and actively ensuring that any online tracking technologies - such as Meta/Facebook Pixel and Google Analytics - are not being allowed or utilized to invade their patients' privacy," she said. "Protecting patient privacy is central to their mission in providing care."
HHS OCR's first iteration of the guidance in December 2022 came about six months after the U.S. Supreme Court overturned Roe v. Wade and its decades-long precedent guaranteeing nationwide access to abortion.
The Supreme Court ruling has increased concerns about tech companies tracking and potentially disclosing to third parties individuals' sensitive health data, including reproductive health information (see: Pressure on Meta Mounts Over Pixel Collecting Health Data).
In June 2022, nonprofit investigative reporting organizations The Markup and Reveal reported that Meta collects sensitive health information, including abortion-related information, about users. Facebook parent Meta faces a proposed consolidated class action alleging it violated privacy law by collecting patient information via its Pixel tracker, including data on doctors, conditions and appointments (see: Judge Gives Green Light to Meta Pixel Web Tracker Lawsuit).
HHS OCR declined Information Security Media Group's request for comment on the agency's decision to drop its appeal of the Texas court ruling.