HHS Bulletin on Online Tracking Technologies Declared Unlawful: What Covered Entities and Business Associates Need to Know About the AHA Lawsuit

Online tracking technologies are used by healthcare and hospital systems throughout the United States to analyze their website traffic, personalize content, and provide relevant information to website visitors, some of whom may be patients or future patients.

The past two years have seen an increasing awareness from individuals and regulators alike that online tracking technologies such as cookies and pixels may – in some but not all instances – be associated with an actual person and allow for certain inferences, such as inferences about healthcare conditions or appointment status. A wave of class actions targeting healthcare systems for their use of the Meta Pixel, for example, have alleged that these online tracking technologies are unauthorized disclosures of sensitive health information.

With this backdrop, in December 2022 the Department of Health and Human Services (HHS) issued an “Online Tracking Bulletin” which declared that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

The Bulletin gave examples of the types of activities that may violate HIPAA, including the potential use of trackers on unauthenticated webpages (i.e., webpages where a regulated entity may not know who the person accessing the website is, including if they are a patient or not). After releasing the Bulletin, OCR (in conjunction with the Federal Trade Commission (FTC)) sent letters to approximately 130 hospital systems and telehealth providers encouraging them to review and take actions in light of the Bulletin. Under the Bulletin requirements, some covered entities gave notice to consumer of unauthorized disclosure of their PHI by website cookie of pixel.

In early 2024, a group of hospital systems led by the American Health Association (“AHA”) sued HHS/OCR, to block enforcement of the Bulletin and argued that OCR’s interpretation of how HIPAA applied to covered entities and business associates’ use of tracking pixels on websites and mobile apps exceeded its rulemaking and other HIPAA authorities.

Specifically, the hospital systems argued that OCR used the Bulletin to inappropriately classify as IIHI, certain data collected through an online technology that connects an individual’s IP address with a visit to a publicly accessible webpage that does not require or request login information for user authentication and that addresses specific health conditions or health providers (the “Proscribed Combination”). According to the lawsuit, the Proscribed Combination exceeds OCR’s statutory authority under HIPAA and violates the First Amendment, and violates the Administrative Procedure Act as it is arbitrary and capricious (contrary to 5 USC § 706(2)(A)) and did not undergo proper notice and comment rulemaking (contrary to 5 USC § 553).

The Plaintiffs did not challenge the Bulletin’s classification of IIHI for information collected through patient portals or other password-protected areas of a hospital’s website.

Under the Proscribed Combination, IP addresses from unauthenticated webpages could constitute HIPAA-regulated information which should be afforded all the protections required for such information under HIPAA. This includes requiring consent or authorization for its disclosure to the technology vendors providing the service, requiring business associate agreements be in place with the vendors, and that the information is protected according to the extensive requirements of the HIPAA Security Rule. These requirements severely curtailed covered entities’ ability to engage in basic online practices such as analyzing website traffic and website personalization to enhance care and offerings.

In a highly-watched June 20 decision, the Federal Court for the Northern District of Texas Fort Worth agreed with the hospital systems, holding the Bulletin unlawful and an exceedance of HHS/OCR’s regulatory authority. According to the Court, “[] this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power.… While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements.… The Court GRANTS the Hospitals’ request for declaratory judgment and DECLARES that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.”

Through its  31-page Order, the Court described how HHS/OCR tried to use slight of hand to squeeze in a new legal requirement to protect a class of information that did not fit under what Congress was looking to protect with HIPAA. According to the Court, limitations that Congress built into the HIPAA were supposed to achieve a balance to allow for the proper protection of the most sensitive information, build trust in the health system, and still allow health information to be used and disclosed as needed to avoid stifling innovation in the health care industry.

The Court found that the Bulletin created a new legal obligation for covered entities to protect information that was not previously required to be protected – the Proscribed Combination of IP address on an unauthenticated website page. HHS argued that this combination of information would only meet the definition of IIHI if the visitor of the web page intended to obtain information as it related to their health. This is where the Court found HHS had gone astray.

While the intent of a web page visitor could reasonably be determined when they are visiting a patient portal, such intent would seemingly be nearly impossible to determine when no user authentication is required. The Court pointed out that HHS seemingly acknowledged this through its updated guidance but held its course and implicitly stated that even if the intent could not be determined covered entities were required to treat the information as IIHI or face potentially large consequences.

The Court determined that HHS had failed to account for the fact that even if the intent of the web page visitor was related to obtaining information regarding their health, such intent was not disclosed to the covered entity through the visit, nor if it transferred to the business associates that provide the technology to the covered entity. Due to this, the information fundamentally fails to meet the definition of IIHI as it does not relate to an individual’s past, present, or future physical or mental health condition.

Ultimately, the Court vacated the HHS guidance. IIHI will retain its pre-December 2022 meaning as it relates to information gathered from visitors of unauthenticated web pages of covered entities.

The AHA Decision highlights important considerations for covered entities and the providers of online tracking technologies to consider moving forward, to clearly delineate when the use of a tracking technology implicates HIPAA, and when it may not:

• It remains important to fully understand where and how these technologies are being deployed on a covered entities website, and the exact type of information that is being collected and shared. Working with technology and marketing vendors to clarify deployment, and mapping and inventorying the data collection internally, are important steps.

• If there is a mechanism for a web page visitor to authenticate into a patient portal, scheduling system, or any other type of service, it is important that HIPAA compliance continue to be considered. In certain instances, this means technology vendors can qualify as business associates and there may be privacy and security obligations they must follow.
• The AHA Order provides confidence to covered entities and others that the Proscribed Conditions scenario does not implicate HIPAA. However, this information may still be considered “sensitive” under certain state privacy laws.
• It remains important to add publicly available web pages and the services used on them to any risk management program and to continue to monitor HHS/OCR actions in this regard.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.