On November 2, 2023, the American Hospital Association and Texas Hospital Association, in conjunction with the Texas Health Resources and United Regional Health Care System, filed suit against the Secretary of the Department of Health and Human Services (“HHS”) and the Director of the HHS Office for Civil Rights (“OCR”) regarding OCR’s guidance on the use of online tracking technologies by HIPAA entities.[i] This action and its results will impact how healthcare entities must protect and may use certain information collected on their digital sites.
As we covered in a previous blog post, OCR released guidance in December 2022 on the use of tracking technologies by HIPAA-regulated entities (the “Guidance”).[ii] The lawsuit challenges the portion of the Guidance that considers the use of tracking technologies on healthcare providers’ unauthenticated webpages to be subject to HIPAA. This includes, for example, linking an IP address with viewing specific health conditions or healthcare providers (the “Proscribed Combination”). The complaint specifically alleges that the Guidance, as applied to unauthenticated public webpages: (1) exceeds HHS’s authority under HIPAA and the First Amendment; and (2) fails to meet rulemaking requirements under the Administrative Procedure Act (“APA”). The complaint also points out that third-party trackers can be found on the federal government’s own covered entity agency webpages.
The complaint states there is a lack of reasonable basis to determine whether the Proscribed Combination sufficiently identifies an individual who visits a webpage for health, care, or payment purposes. For example, an individual may visit a medical condition webpage, but such a visit may not be in connection with the individual’s healthcare or sought services. By concluding the Proscribed Combination constitutes individually identifiable health information subject to HIPAA, plaintiffs allege OCR exceeded its authority. The complaint also alleges the Guidance prohibits healthcare providers from disclosing information about the usage of a public webpage on health-related topics in violation of the First Amendment.
With respect to the APA, the complaint alleges: (1) OCR’s reasoning used to determine the Proscribed Combination is individually identifiable health information is arbitrary and capricious; and (2) the Guidance is procedurally defective because it was promulgated without a notice-and-comment period and without consulting hospitals and health systems.
Notably, the complaint does not take issue with the Guidance with respect to tracking technologies on authenticated sites. HIPAA-regulated entities should carefully evaluate the trackers present on such sites and determine the appropriate course of action. This may include removing the trackers or entering into a business associate agreement with the tracking entity.
Furthermore, class action lawsuits related to the use of trackers by healthcare providers continue to pose a risk, regardless of the outcome of this lawsuit. Although certain HIPAA risks may be mitigated as a result of this lawsuit, when using tracking technologies, entities, especially healthcare entities, should continue to assess and monitor the information being tracked and the methods of tracking to ensure best practices, consumer protection laws and other privacy laws are met.
This is an evolving area of law, and Sheppard Mullin will continue to closely monitor developments in this area.[iii] Entities with questions or seeking counsel can contact any member of our Healthcare Team or Privacy and Cybersecurity Team for assistance.
[i] American Hospital Association et al v. Melanie Fontes Rainer et al, No. 4:23-cv-01110-P (N.D. Tex. 2023).
[ii] Guidance available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.
[iii] For additional information regarding notable FTC developments in this area, please see: https://www.eyeonprivacy.com/2023/07/regulators-send-warning-letter-to-hospitals-and-telehealth-providers-about-tracking-technology-use/.