Court Strikes Down HHS “Guidance” Regarding Online Tracking Technologies and HIPAA: Implications for Healthcare Providers

In a recent landmark decision, the United States District Court for the Northern District of Texas issued an opinion and order with significant implications for healthcare providers and their use of online technologies. The case, filed by the American Hospital Association, Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, challenged a new rule imposed by the U.S. Department of Health and Human Services (HHS). The Court’s ruling grants partial summary judgment in favor of the plaintiffs, striking down the HHS rule as it pertains to the use of tracking technologies on healthcare providers’ websites.

Background of the Case

The core issue in this case revolves around the interpretation and application of the Health Insurance Portability and Accountability Act (HIPAA) and its provisions regarding “Individually Identifiable Health Information” (IIHI). In December 2022, HHS issued a guidance document (the Original Bulletin) that expanded the definition of IIHI to include the combination of an individual’s IP address with their visits to healthcare providers’ unauthenticated public webpages (UPWs). This combination, referred to as the “Proscribed Combination,” was considered by HHS to be protected under HIPAA. HHS later revised its rule, in response to the lawsuit, but still retained the “Proscribed Combination” concept in the “Revised Bulletin”.

The plaintiffs argued that this new rule was an overreach of HHS’s authority and imposed significant new obligations on healthcare providers without proper rulemaking procedures, including public notice and comment.

Court’s Analysis and Ruling

The Court thoroughly examined whether the Revised Bulletin issued by HHS, which softened some language but maintained the core rule, constituted a “final agency action” subject to judicial review. The Court found that the Revised Bulletin did indeed represent a final agency action because it imposed new substantive legal obligations on covered entities. The Court struck down the Revised Bulletin.

Key Findings

  • New Legal Obligations: The Revised Bulletin effectively mandated that healthcare providers treat the combination of an individual’s IP address and their visit to a healthcare-related webpage as IIHI, thus subjecting it to HIPAA’s Privacy Rule (regardless of whether the individual was a patient, actually had the health condition, or whether the healthcare provider knew that they were a patient/had the health condition).
  • Exceeds Statutory Authority: The Court concluded that HHS exceeded its statutory authority by expanding the definition of IIHI beyond what HIPAA explicitly permits. The Proscribed Combination does not meet the statutory definition of IIHI, as it fails both the “relates to” and “identifies” prongs required by the law.

Implications for Healthcare Providers

The Court’s ruling has several important implications for healthcare providers:

  1. Invalidation of the Proscribed Combination Rule: The Court’s decision invalidates HHS’s rule that treated the combination of an IP address and visits to healthcare-related webpages as IIHI. This means that healthcare providers are no longer required to treat such combinations as protected under HIPAA.
  2. Relief from New Obligations: Healthcare providers are relieved from the significant new compliance burdens that the Proscribed Combination rule imposed. They can continue using third-party tracking technologies on their websites without fear of violating HIPAA, provided they do not disclose actual IIHI.
  3. Need for Clear Guidance: The ruling underscores the need for HHS to provide clear and consistent guidance that aligns with the statutory definitions and procedural requirements of HIPAA. Healthcare providers should stay informed about any further developments or new rules proposed by HHS in response to this decision.

Conclusion

The Court’s decision marks a significant victory for healthcare providers, ensuring that HHS cannot expand the definition of IIHI beyond its statutory limits without proper rulemaking procedures. Healthcare providers should review their current use of tracking technologies and ensure compliance with the Court’s ruling, while remaining vigilant for any new guidance from HHS. This case highlights the ongoing tension between regulatory agencies and the entities they regulate, emphasizing the importance of adhering to statutory authority and procedural norms in rulemaking.

For guidance on HIPAA or online marketing issues, contact your regular attorney at The Health Law Partners, or contact Clinton Mikel, Esq., at cmikel@thehlp.com or 248-996-8510.

Contact Information