The Secretary of the Department of Health and Human Services (HHS) and the Director of the HHS’ Office for Civil Rights (OCR) are facing legal action over December 2022 guidance for HIPAA-covered entities on tracking technologies.
The guidance was issued in response to breach reports and media coverage related to website tools such as Meta Pixel, which are extensively used on the websites and apps of hospitals and health systems. These tools track the usage of the apps and websites and collect data that can be used to improve services and better serve communities. The problem is that these tools collect information that allows users to be identified along with website and app activities that reveal potentially sensitive health information. That information is then transferred to the providers of the tracking tools and the information may be further disclosed and used to serve targeted ads. One study of more than 3,700 U.S. hospitals found that 99% of studied U.S. hospitals used these tools on their websites and apps.
OCR’s response was to issue guidance that effectively prohibited the use of these tools. According to OCR, these tools could only be used if consent was obtained from website users via HIPAA-compliant authorizations, or a business associate agreement was in place with the providers of the tools. The providers of these tools generally do not sign business associate agreements and obtaining HIPAA-compliant authorizations is problematic. OCR has since confirmed that it has opened investigations into the use of these tools, and jointly with the FTC, wrote to 130 organizations warning them about the use of these tools. The failure to ensure HIPAA-compliant use of these tools risks significant financial penalties for HIPAA noncompliance.
The American Hospital Association (AHA) has criticized OCR’s guidance, which has unintended consequences. While it is important to protect individuals’ privacy, the data collected by tracking tools is critical to other vital web tools, such as analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps. These tools help hospitals and health systems to better serve their communities.
The AHA has been trying to communicate its point of view to OCR for several months and has now been forced to take further action to protect its members from financial penalties. The AHA considers OCR’s decision to include IP addresses as individually identifiable health information (IHII) that must be protected under HIPAA exceeds the HHS’s statutory authority. While IP addresses are linked to searches on hospital websites, which may reveal health information, the pages accessed do not necessarily indicate that an individual suffers from a particular condition nor does it identify them as a patient. As Rick Pollack, AHA President and CEO, explained, “If someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties.”
The AHA argues that HIPAA allows hospitals to use third-party tools that capture IP address information because that information cannot reasonably be used to identify an individual whose health care relates to the webpage visit. While OCR’s letters and statements indicate OCR is actively investigating organizations over the use of these tools, OCR’s decision to expand the definition of IHII was made without due process. “Prior to issuing this rule, the federal government did not consult with hospitals and health systems about their use of third-party technologies that depend on the collection of IP addresses or the impact that its new rule would have on patients or communities,” explained Pollack.
Further, OCR has prohibited the use of these tools, has issued threats in its letters to hospitals, and hospitals are being actively investigated by OCR, yet the federal government has not stopped using the tools. The tools have been and continue to be used on Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. “We cannot understand why HHS created this ‘rule for thee but not for me.,” said Pollack.
The lawsuit was filed by the AHA, Texas Hospital Association, United Regional Health Care System, and Texas Health Resources against HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer and seeks an order from the court requiring the guidance to be set aside as it is unlawful, for a declaratory judgment that the information collected by these tracking tools does not qualify as IHII, and for permanent injunctive relief prohibiting OCR from enforcing the guidance and imposing financial penalties over the use of these tools.