Judge Rules OCR Overstepped its Authority When Issuing Tracking Technology Guidance
A U.S. district court judge has ruled that the guidance on HIPAA and website tracking technologies issued by the HHS’ Office for Civil Rights (OCR) is unlawful and “was promulgated in clear excess of HHS’s authority under HIPAA.” An IP address in combination and information collected from an unauthenticated webpage is not individually identifiable health information that is protected under HIPAA.
The ruling came in a lawsuit filed against the HHS and OCR in the US District Court for the Northern District of Texas Fort Worth Division in November 2023 by the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System.
Website tracking technologies are used on a large number of websites for tracking visitor interactions, and they provide valuable insights into how websites are used. For instance, they allow healthcare organizations to identify pages on their websites that are not getting many visitors, which could indicate the public is having difficulty navigating to those pages. Popular pages give healthcare providers an indication of the level of concern in the community about certain medical conditions. These tools also allow website operators to use third-party maps and location services, which allow healthcare providers to direct the public to their healthcare facilities.
The problem with these tools, and the reason for OCR’s December 2023 guidance, is they transmit the collected data to the third-party providers of the tools. If a visitor searches for information on Alzheimer’s disease, for example, that information may be transferred to a third party and that information can be tied to that individual by their IP address.
If the tools are added to pages where appointments are scheduled, appointment information could also be transferred to a third party. In the case of Meta pixel tracking code, a visitor’s identifiable information would be transferred to Meta and may be used to serve them with targeted ads related to information collected on their website visit.
OCR’s view was that health information in combination with an identifier – an IP address – made that information individually identifiable health information that is covered by HIPAA. That meant that in order to disclose the information to a third party, the disclosure must be permitted by the HIPAA Privacy Rule and the third party must sign a business associate agreement. Alternatively, a valid HIPAA authorization must be obtained.
The problem for healthcare providers is the third-party providers of these tracking tools – tech companies and social media networks – do not sign business associate agreements with HIPAA-covered entities, and obtaining authorizations from website visitors is not practical. Further, just because an individual visits a healthcare website it does not make them a patient. They could, for instance, be searching for information for research purposes or on behalf of someone else.
The AHA argued that OCR’s guidance meant its members would be prevented from using valuable third-party technologies, which are used extensively on the web, and it would ultimately harm patients and communities. The AHA wrote to the Senate Committee on Health, Education, Labor and Pensions and OCR to request the guidance be revoked, as while patient privacy is important, OCR must strike a balance between privacy and important uses of information.
When no action was taken, the AHA was left with little alternative other than to take legal action over the guidance, which the AHA considered unlawful. In response to the lawsuit, OCR issued a revised version of its guidance in March 2024; however, according to the AHA, the revised version was “practically unworkable and internally inconsistent,” and would still prevent hospitals and health systems from using the tools.
The main argument against the guidance was that an IP address matched with information collected on a healthcare provider’s website (Proscribed Combination) did not constitute individually identifiable health information and was therefore not covered by HIPAA. U.S. District Judge Mark T. Pittman sided with the AHA and ruled that the guidance “was promulgated in clear excess of HHS’s authority under HIPAA.”
The AHA also argued that the guidance was issued without any formal rulemaking process, there was no consultation with hospitals, and OCR had stated that it was actively enforcing compliance. OCR and the FTC wrote to 130 hospitals to advise them of the guidance regarding website tracking technologies after the tools were identified on their websites. and warned them about HIPAA compliance OCR argued that the guidance did not articulate the department’s position “with respect to any concrete circumstances,” and described the guidance it issued as a statement rather than a hard rule. The judge disagreed.
“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance. But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age,” wrote Pittman in his ruling. “Rather, this is a case about power. More precisely, it’s a case about our nation’s limits on executive power.”
AHA’s request for declaratory judgment was granted, the guidance was deemed unlawful, and the AHA’s request for a permanent injunction was denied. While the ruling means that transferring an IP address combined with metadata collected from a website visit does not violate HIPAA, the remainder of OCR’s guidance is unaffected. The technologies therefore cannot be used on any pages that require a visitor to log in unless the Privacy Rule permits the disclosure and there is a business associate agreement in place, or if a HIPAA-compliant authorization is obtained from patients.
“For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text,’ said Chad Golder, AHA general counsel. “As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”