We recently wrote about a Pennsylvania federal court’s dismissal of a proposed “online tracking technology” class action brought against a local hospital, one of a rising number of lawsuits brought against hospitals and other HIPAA-covered entities which deploy third party source codes such as the Meta Pixel on their websites. 

In a major ruling which healthcare entities will tout in similar cases moving forward, on June 20, 2024 the U.S. District Court for the Northern District of Texas vacated key parts of a combined guidance Bulletin issued by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) regarding the use of online tracking technologies. In Am. Hosp. Ass’n v. Becerra, 4:23-CV-01110-P, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024) (available here), the Court held that the guidance was unlawful and exceeded the agency’s administrative authority.

In December 2022, HHS-OCR issued, and then updated in March 2024, a bulletin entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (called in the opinion the “Proscribed Combination”), which attempted to address potential privacy concerns regarding the sharing of website usage data collected by third party sources from healthcare providers’ websites, and specifically, data tracking programs on unauthenticated public webpages (“UPW’s”). 

In the Proscribed Combination, HHS-OCR asserted that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a[n] [unauthenticated] webpage addressing specific health conditions or listing health care providers is . . . a sufficient combination of information to constitute IIHI if the visit to the webpage is . . . related to the individual’s own health.” As the Court described the theory, “a third party could connect the dots between a person’s IP address and the searches performed: if an IP address corresponds to Person A, and Person A looks up symptoms of Condition B, one might conclude Person A has Condition B.” Am. Hosp., 2024 WL 3075865, at *2. However, the Court noted, “inferences aside, the above scenario would never reveal that Person A affirmatively had Condition B. But HHS thought otherwise.” Id. 

The Proscribed Combination further declared that such information constitutes personal health information (“PHI”) for purposes of the HIPAA Privacy Rule “even if the individual does not have an existing relationship with the regulated entity.” This expanded definition of IIHI imposed new legal obligations on covered entities for using common internet tracking programs such as cookies and Meta’s Meta Pixel. 

In 2023, the American Hospital Association (“AHA”) and a regional health system filed suit against HHS to stop the enforcement of the Bulletin, arguing that the Proscribed Combination exceed the agency’s authority by unlawfully expanding the definition of IIHI. HHS responded that the Proscribed Combination was not a final agency decision. 

Judge Mark T. Pittman sided with AHA, ruling that information input by web users into a HIPAA-regulated entity’s unauthenticated public webpages does not constitute IIHI. “[T]he Proscribed Combination facially violates HIPAA’s unambiguous definition of IIHI.” Am. Hosp., 2024 WL 3075865, at *11. 

Attacking the logic of the assumptions made in the Proscribed Combination, the Court wrote, “even if a UPW’s metadata could identify a particular individual, that information cannot become IIHI based solely on the visitors’ subjective motive for visiting the page.” Id. at *12 (internal quotations and citations omitted). A mere inference cannot suffice: “[w]ithout knowing the information that’s never received—i.e., the visitor’s subjective motive—the resulting metadata could never identify that individual’s PHI.” Id. at *14. The Court thus vacated the Proscribed Combination insofar as it seeks to regulate HIPAA entities’ data collection on unauthenticated websites, and implied that HHS may continue to enforce the bulletin against collection activity on an authenticated webpage. 

The Am. Hosp. ruling certainly stands as a victory for hospitals and other HIPAA-regulated entities as it pertains to using third party source code on unauthenticated aspects of their web properties. However, entities should retain a conservative approach to using tracking technologies and refrain such on authenticated webpages such as patient portals. The increase of class actions against hospitals for using online tracking technologies will not dissipate, and the plaintiffs’ class action bar will take into the Am. Hosp. ruling when crafting its allegations moving forward. 

Chilivis Grubman regularly advises hospitals, doctors’ groups, and other HIPAA-covered entities and business associates on HIPAA compliance and data privacy issues and defends lawsuits arising out of data breaches and online advertising uses.