OCR Withdraws Notice of Appeal in Website Tracking Technology Case

On August 19, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) signaled its intention to appeal a ruling by the U.S. District Court for the Northern District of Texas that partially vacated its tracking technology guidance for HIPAA-regulated entities by filing a notice of an appeal.ย The notice of appeal was officially withdrawn ten days later on August 29, 2024.
Website tracking technologies are snippets of code that are added to websites to collect information about visitors and how they interact with website content. The information collected includes the pages the user navigates to, how they arrived on the site, how much time they spent on the site, and other information. These tools may also collect a userโs IP address and location, and the information collected may be provided to third parties. That information may be used to serve individuals personalized ads on other platforms.
In 2022, the Markup/STAT investigated the use of these tools by hospitals and found that one-third of the top 100 hospitals in the United States had added these tools to their websites, and in some cases even added them to authenticated pages such as patient portals. A 2023 study of the websites of 3,700 hospital websites by researchers at the University of Pennsylvania found third-party tracking tools on 98.6% of hospital websites. The problem with the use of these tools on hospital websites is they may collect sensitive health information, for example, if a website visitor books an appointment and selects a health condition related to that appointment from a drop-down menu, that information may be passed to a third party without their knowledge or consent. Since the userโs IP address is also collected, that would allow that individual to be identified.
OCR issued a bulletin in December 2022 about how HIPAA applies to these tools, stating that the tools could only be used if certain conditions were met. A business associate agreement must be signed with the provider of the tool or authorization must be obtained from the patient. Since the providers of these tools do not usually sign business associate agreements and obtaining HIPAA-compliant authorizations is not practical, the guidance essentially banned the use of these tools.
The American Hospital Association (AHA) was critical of the guidance as these tools are used extensively on websites and provide important benefits. By banning the use of the tools, hospitals would not be able to analyze their own website traffic to enhance access to care and public health and it would harm their ability to share important healthcare information with the communities they serve, which would ultimately be harmful to patients and communities.
The AHA, along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System filed a lawsuit that sought to bar OCR from enforcing the guidance. Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs in support of the lawsuit. The AHA argued that OCR had overstepped its authority by issuing the guidance, with one of the main issues being OCRโs determination that an IP address combined with visitor data on an unauthenticated web page constituting individually identifiable health information (IIHA) that is covered under HIPAA and considered protected health information (PHI).
OCR updated its guidance on March 18, 2024, with the revision stating that not all information collected by these tools would be classed as PHI; however, the lawsuit proceeded. Judge Mark Pittman of the U.S. District Court for the Northern District of Texas ruled in favor of the plaintiffs and agreed that the guidance was in clear excess of the HHSโs authority under HIPAA and vacated portions of the guidance.
After filing the notice of appeal, OCR was expected to file an opening brief in the US Court of Appeals for the Fifth Circuit that outlined its arguments as to why the U.S. District Courtโs decision should be overturned; instead, the notice of appeal was officially withdrawn, which brings the uncertainty over the use of website tracking technologies to an end.
โThe American Hospital Association is pleased that the Office for Civil Rights has decided not to appeal the district courtโs decision vacating the new rule adopted in its Online Tracking Technologies Bulletin. As the AHA repeatedly explained to OCR โboth before and after OCR forced the AHA to file its lawsuit โ this rule was a gross overreach by the federal government, imposed without any input from healthcare providers or the general public,” said AHA General Counsel, Chad Golder. “Now that the Bulletinโs illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate health care information with the communities they serve without the fear of federal civil and criminal penalties.โ
The District Court ruling means an IP address combined with information collected from an unauthenticated web page does not constitute IIHA and is therefore not covered by HIPAA, which means tracking tools can be used without a HIPAA authorization or business associate agreement on unauthenticated web pages. The ruling did not vacate the guidance with respect to authenticated web pages, such as patient portals, so the restrictions on the use of the technologies on authenticated web pages still stand.