Published on: | by

Court Strikes Down HHS “Guidance” Regarding Online Tracking Technologies and HIPAA: Implications for Healthcare Providers

In a recent landmark decision, the United States District Court for the Northern District of Texas issued an opinion and order with significant implications for healthcare providers and their use of online technologies. The case, filed by the American Hospital Association, Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, challenged a new rule imposed by the U.S. Department of Health and Human Services (HHS). The Court’s ruling grants partial summary judgment in favor of the plaintiffs, striking down the HHS rule as it pertains to the use of tracking technologies on healthcare providers’ websites.

Background of the Case

The core issue in this case revolves around the interpretation and application of the Health Insurance Portability and Accountability Act (HIPAA) and its provisions regarding “Individually Identifiable Health Information” (IIHI). In December 2022, HHS issued a guidance document (the Original Bulletin) that expanded the definition of IIHI to include the combination of an individual’s IP address with their visits to healthcare providers’ unauthenticated public webpages (UPWs). This combination, referred to as the “Proscribed Combination,” was considered by HHS to be protected under HIPAA. HHS later revised its rule, in response to the lawsuit, but still retained the “Proscribed Combination” concept in the “Revised Bulletin”.

The plaintiffs argued that this new rule was an overreach of HHS’s authority and imposed significant new obligations on healthcare providers without proper rulemaking procedures, including public notice and comment.

Court’s Analysis and Ruling

The Court thoroughly examined whether the Revised Bulletin issued by HHS, which softened some language but maintained the core rule, constituted a “final agency action” subject to judicial review. The Court found that the Revised Bulletin did indeed represent a final agency action because it imposed new substantive legal obligations on covered entities. The Court struck down the Revised Bulletin.

Key Findings

  • New Legal Obligations: The Revised Bulletin effectively mandated that healthcare providers treat the combination of an individual’s IP address and their visit to a healthcare-related webpage as IIHI, thus subjecting it to HIPAA’s Privacy Rule (regardless of whether the individual was a patient, actually had the health condition, or whether the healthcare provider knew that they were a patient/had the health condition).
  • Exceeds Statutory Authority: The Court concluded that HHS exceeded its statutory authority by expanding the definition of IIHI beyond what HIPAA explicitly permits. The Proscribed Combination does not meet the statutory definition of IIHI, as it fails both the “relates to” and “identifies” prongs required by the law.

Implications for Healthcare Providers

The Court’s ruling has several important implications for healthcare providers:

  1. Invalidation of the Proscribed Combination Rule: The Court’s decision invalidates HHS’s rule that treated the combination of an IP address and visits to healthcare-related webpages as IIHI. This means that healthcare providers are no longer required to treat such combinations as protected under HIPAA.
  2. Relief from New Obligations: Healthcare providers are relieved from the significant new compliance burdens that the Proscribed Combination rule imposed. They can continue using third-party tracking technologies on their websites without fear of violating HIPAA, provided they do not disclose actual IIHI.
  3. Need for Clear Guidance: The ruling underscores the need for HHS to provide clear and consistent guidance that aligns with the statutory definitions and procedural requirements of HIPAA. Healthcare providers should stay informed about any further developments or new rules proposed by HHS in response to this decision.

Conclusion

The Court’s decision marks a significant victory for healthcare providers, ensuring that HHS cannot expand the definition of IIHI beyond its statutory limits without proper rulemaking procedures. Healthcare providers should review their current use of tracking technologies and ensure compliance with the Court’s ruling, while remaining vigilant for any new guidance from HHS. This case highlights the ongoing tension between regulatory agencies and the entities they regulate, emphasizing the importance of adhering to statutory authority and procedural norms in rulemaking.

For guidance on HIPAA or online marketing issues, contact your regular attorney at The Health Law Partners, or contact Clinton Mikel, Esq., at cmikel@thehlp.com or 248-996-8510.

Contact Information
Detroit
32000 Northwestern Hwy #240
Farmington Hills, MI 48334
P (248) 996-8510 F (248) 996-8525

The Health Law Partners, P.C.

New York City
15 W 38th St 4th Floor #735
New York, NY 10018
P (212) 734-0128 F (917) 210-2952

The Dresevic, Iwrey, Kalmowitz & Pendleton Law Group A Division of The Health Law Partners, P.C.

This is an attorney advertisement.

We serve the following localities: Alpena County, Alpena, Bay County, Auburn, Bay City, Essexville, Pinconning, Berrien County, Benton Harbor, Berrien Springs, Buchanan, Coloma, Niles, St. Joseph, Stevensville, Watervliet, Calhoun County, Albion, Battle Creek, Marshall, Charlevoix County, Boyne City, Charlevoix, East Jordan, Cheboygan County, Cheboygan, Crawford County, Grayling, Eaton County, and Bellevue. [ View More ]

This is an attorney advertisement.

Branding by Zoyes Creative

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2024, The Health Law Partners, P.C.
JUSTIA Law Firm Blog Design