Federal Court Scales Back HIPAA Online Tracking Technology Guidance

On June 20, a federal district court in Texas ruled that the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) exceeded its authority under the Health Insurance Portability and Accountability Act (HIPAA) by issuing guidance that expanded the law’s definition of “individually identifiable health information” (IIHI) to include an individual’s IP address captured on a public webpage about health conditions or health care providers. “Simply put,” the court explained, “Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).”

The ruling in American Hospital Association (AHA) v. Becerra is favorable to HIPAA-covered health care providers and health plans (covered entities) and their business associates (collectively, regulated entities) to the extent it limits when a HIPAA violation occurs from a regulated entity’s use of a cookie, web beacon, or other tracking technology on its website. Nevertheless, it underscores the increasing privacy concerns about technologies that provide insight about website users and the need for regulated entities to carefully evaluate their use of such technologies.

OCR’s Guidance Regarding Online Tracking Technologies

The AHA case stemmed from a guidance bulletin that OCR released on December 1, 2022, outlining the HIPAA compliance risks from regulated entities’ use of scripts or codes embedded in websites or applications that gather and analyze user data. The bulletin explained that these tracking technologies may collect information, such as an individual’s IP address, that connects an individual to a covered entity, thereby indicating that “the individual has received or will receive health care services or benefits from the covered entity.” Moreover, with respect to tracking technologies developed by third parties (for example, Google Analytics or Meta Pixel), such information may be shared with the third-party developer, which may continue tracking an individual after the individual leaves the covered entity’s website.

In these respects, OCR concluded, tracking technologies might involve disclosure of IIHI. HIPAA defines this term as information that (1) “relates to” an individual’s past, present, or future health, health care, or payment for care and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” When transmitted or maintained by a regulated entity, IIHI is deemed “protected health information” (PHI), subject to HIPAA’s privacy, security, and breach notification requirements.

In a letter dated May 22, 2023, AHA urged OCR to reconsider its guidance. The bulletin erred, AHA argued, by concluding that an IP address is PHI whenever it is shared with a third party, regardless of the context of a user’s visit to a regulated entity’s website. For example, a user of a hospital website may be a relative or friend of a hospital patient, but an IP address does not make such a distinction. If OCR maintained that an IP address, by itself, is a unique identifier under HIPAA, AHA warned that its hospital and health system members “will be forced to restrict the use of certain technologies that help improve community access to health information,” potentially losing millions of dollars of investments in existing websites, apps, and portals under threat of OCR enforcement actions and class-action lawsuits.

Despite AHA’s plea, OCR maintained its interpretive position. As we discussed in a prior alert, the Federal Trade Commission (FTC) and OCR sent a joint letter dated July 20, 2023, to approximately 130 hospital systems and telehealth providers advising them of the legal risks associated with the use of tracking technologies. The letter referred HIPAA regulated entities to OCR’s bulletin, warning that “HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.”

Several months later, AHA and other plaintiffs sued the director of OCR and other government parties in federal district court in Texas. The plaintiffs claimed that OCR lacks the authority under HIPAA to expand the definition of IIHI to include the combination of an individual’s IP address and visits to unauthenticated public webpages (i.e., webpages that do not require user credentials to access) that address specific health conditions or health care providers (referred to as the “Proscribed Combination”). They also alleged that OCR’s tracking technology guidance was arbitrary and capricious and did not follow proper notice-and-comment rulemaking procedures.

As the litigation progressed, OCR revisited its guidance, issuing a modified bulletin on March 18. The modified guidance now explains, with additional illustrations, that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”

The Proscribed Combination Does Not Constitute IIHI, Court Concludes

On cross-motions for summary judgment, the court confronted the central question of whether the Proscribed Combination is IIHI. To analyze this question, the court evaluated the definitional components of IIHI:

“Relates to” Prong. The court noted that, as modified, the OCR bulletin required a covered entity to analyze a website user’s subjective intent for visiting a public webpage to determine whether the Proscribed Combination was IIHI. That is, the Proscribed Combination is IIHI only if the user intends to visit the webpage for purposes related to the user’s health, health care, or payment for care. But, the court reasoned, determining a user’s intent is an impossible task for covered entities; there may be a variety of reasons why an individual would access health content on a website, and the definition of IIHI accounts for only a subset of those possibilities. Accordingly, the Proscribed Combination did not satisfy the “relates to” prong of the definition of IIHI.
“Identifies” Prong. The court took a similar approach to analyzing whether the Proscribed Combination “identifies the individual,” explaining that the “Proscribed Combination does not and cannot identify an individual or the individual’s PHI without an unknowable subjective-intent element[.]” That is because the “individual” whom the Proscribed Combination must identify is the individual intending to visit a public webpage for reasons related to that individual’s health, health care, or payment for care. Yet, the Proscribed Combination does not “identify” the webpage user or the user’s condition, and information about the user’s intent is not collected. Thus, the Proscribed Combination did not meet the “identifies” prong of the definition of IIHI.

In sum, the court held that “the closest the Proscribed Combination gets to IIHI is a speculative inference extrapolated from (but unsubstantiated by) collected metadata.” Because HIPAA governs PHI, a necessary element of which is IIHI, OCR thus exceeded its legal authority to regulate the Proscribed Combination as provided in the bulletin. The court accordingly vacated the Proscribed Combination and did not consider the plaintiffs’ other claims.

As of the date of this alert, the defendants have not appealed the court’s order. A notation added to OCR’s bulletin states that “HHS is evaluating its next steps in light of that order.”

Key Takeaways

The court’s decision narrows the scope of website information subject to regulation under HIPAA. To that extent, it may lessen regulated entities’ HIPAA compliance burden. Although the court’s decision is limited to a single district in Texas, the ruling will likely impact OCR’s enforcement posture on the Proscribed Combination beyond that district. As stakeholders monitor OCR’s next moves, regulated entities should consider doing the following:

Review Tracking Technologies in Use. Regulated entities should conduct thorough reviews of the tracking technologies they use, including cookies, web beacons, and similar tools, and evaluate whether those technologies collect IIHI. Regular audits and assessments of these technologies can help in maintaining compliance and identifying potential risks.
Develop Data Segregation Practices. While the Proscribed Combination may not constitute IIHI, the court’s opinion leaves open the possibility that other combinations of data collected on regulated entities’ websites or apps may be IIHI. To avoid confusion about what data is IIHI, regulated entities may opt to segregate general user data from health-related information. Implementing clear data management practices can help distinguish between different types of data collected through tracking technologies.
Analyze Arrangements With Tracking Technology Vendors. Many regulated entities contract with third-party vendors for their tracking technologies. Regulated entities should review these arrangements to determine what information they share with those vendors. This process will involve determining whether a business associate agreement is required to ensure that disclosures of PHI to the vendor are permitted by the HIPAA rules.
Monitor for Updated OCR Guidance. OCR might release additional guidance or initiate formal notice-and-comment rulemaking to clarify the instances in which tracking technologies facilitate impermissible disclosures of PHI and IIHI and to address the deficiencies that the court identified with the prior versions of OCR’s bulletin. For now, regulated entities should be aware that the court vacated only that portion of OCR’s bulletin regarding the Proscribed Combination. The court did not vacate those portions of the bulletin discussing the risk of impermissible disclosures resulting from tracking technologies on user-authenticated websites, such as patient portals, or the risk of impermissible disclosures of other combinations of IIHI besides the Proscribed Combination on unauthenticated public webpages.
Stay Familiar With Other Privacy Laws. Beyond HIPAA, other privacy laws may also govern regulated entities’ use of tracking technologies. The FTC enforces privacy protections under Section 5 of the FTC Act, which prohibits unfair or deceptive practices. The FTC has actively used this authority to take enforcement actions against companies that share identifiable health-related information via pixels or other tracking technologies without proper consent, as seen in cases like the enforcement action against GoodRx for sharing users’ health data with advertisers. Additionally, new state privacy laws, such as the My Data My Health Act in Washington State, impose stringent requirements on the handling of consumer health data. These laws often extend beyond HIPAA’s scope and provide consumers with greater control over their health information. Consequently, HIPAA regulated entities must navigate a complex regulatory landscape to ensure compliance when using online tracking technologies.

If you have any questions about HIPAA compliance and regulatory issues, please contact Gayland O. Hethcoat II, Moyosore O. Koya, or the ArentFox Schiff attorney who usually handles your matters.