Categories: Health Information Technology, Privacy and Security Law
, , , , ,

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

In November 2023, the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (collectively, the “Hospitals”) filed suit in the District Court for the Northern District of Texas asking the court to declare the requirement relating to the “Proscribed Combination” unlawful, to vacate it, and to permanently enjoin its enforcement because it was “flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy.”  After hearing cross-motions for summary judgment, on June 20, 2024, the District Court granted the Hospitals’ request for declaratory judgment and declared that “the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.”  Specifically, the District Court held that the guidance “improperly creat[ed] substantive legal obligations for covered entities,” and that the “the Proscribed Combination facially violate[d] HIPAA’s unambiguous definition of IIHI.”  While the District Court vacated the Proscribed Combination portion of the guidance, the District Court also found that permanent injunction was not appropriate because the Hospitals failed to demonstrate that they have suffered an “irreparable injury.”

OCR initially appealed the District Court’s order to the Fifth Circuit; however, on August 29, 2024, OCR withdrew its appeal. As of the date of this blog’s posting, the guidance includes the following disclaimer:

On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. HHS is evaluating its next steps in light of that order.

Despite the District Court’s ruling, organizations should continue to review their use of online tracking technologies to assess compliance with HIPAA and various state laws.

We will continue to monitor developments regarding OCR’s “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” guidance document.

Tags: Health Insurance Portability and Accountability Act (HIPAA), HHS, HIPPA, Office for Civil Rights (OCR), U.S. Department of Health and Human Services (“HHS”)
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.