On August 29, 2024, the Office for Civil Rights of the United States Department of Health and Human Services (“HHS-OCR”) withdrew its appeal of an order by the United States District Court for the Northern District of Texas’ (“District Court”) declaring unlawful and vacating a portion of an HHS-OCR Bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” See Am. Hosp. Ass’n v. Becerra, No. 4:23-cv-1110 (N.D. Tex. June 20, 2024). At its core, the District Court declared that a portion of the HHS-OCR Bulletin was an overstep of the agency’s authority. While many in the health care industry may breathe a sigh of relief given the proliferation of class action lawsuits focused on tracking technologies and the evolving maze of regulation impacting the industry generally, it is unclear whether HHS-OCR will continue its newfound attempts to regulate the use of tracking technologies. Regardless, vigilance and caution around website tracking should continue to be exercised.
In a prior alert, we explained how the HHS-OCR Bulletin highlighted the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what HHS-OCR described as “script[s] or code[s] on a website or mobile app used to gather information about users as they interact with the website or mobile app”; these scripts or codes can then analyzed by website owners, app operators, or third parties to create user profiles or to garner insights into users’ online activities. The HHS-OCR Bulletin reminded covered entities about their specific obligation to protect “individually identifiable health information” (“IIHI”), a subset of protected health information (“PHI”) that “relates to” an individual’s health care and either “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” Examples of IIHI may include an individual’s IP address, device ID or any other unique online or device identifier, each of which is information typically collected by online tracking technologies.
The HHS-OCR Bulletin explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”). In HHS-OCR’s view, IIHI may be collected where a user visits a covered entity’s public webpage concerning a particular health condition, and the online tracking technologies placed on the webpage collects the user’s IP address; and “IIHI collected on a covered entity’s website or mobile app generally is PHI.” Covered entities viewed the guidance set forth in the HHS-OCR Bulletin and, more specifically, the Proscribed Combination described above, as a new and potentially unlawful obligation—“shoehorn[ing] additional information into the IIHI definition.” Accordingly, a lawsuit was filed against HHS-OCR.
Specifically, the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (collectively, the “Hospitals”) asked the District Court for the Northern District of Texas to declare the requirement relating to the “Proscribed Combination” unlawful, to vacate it, and to permanently enjoin its enforcement because it was “flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy.” Id., Doc. 1, “Complaint” (filed Nov. 2, 2023). The District Court took up these arguments on cross-motions for summary judgment and, on June 20, 2024, denied HHS-OCR’s motion but granted in part and denied in part the Hospitals’ motion. Specifically, the District Court agreed with the Hospitals that the HHS-OCR Bulletin “improperly creat[ed] substantive legal obligations for covered entities,” reasoning that the HHS-OCR Bulletin was a final agency action subject to judicial review and that “the Proscribed Combination facially violate[d] HIPAA’s unambiguous definition of IIHI.” And, while the District Court disagreed with the Hospitals that permanent injunction was appropriate because the Hospitals failed to demonstrate that they have suffered an “irreparable injury,” the District Court ordered vacatur, citing the United States Court of Appeals for the Fifth Circuit’s (“Fifth Circuit”) ordinary practice with respect to “unlawful agency action.”
HHS-OCR appealed the District Court’s order to the Fifth Circuit; however, ten days later, and with consent of the Hospitals, HHS-OCR submitted a motion to voluntarily dismiss its appeal pursuant to Federal Rule of Appellate Procedure 42(b). As of the date of this alert, HHS-OCR did not, and still has not, provided any comment about the District Court’s order or its appeal withdrawal—leaving the health care industry wondering about HHS-OCR’s next move. Because the District Court only declared as unlawful the portion of the HHS-OCR Bulletin characterized as the “Proscribed Combination”, HHS-OCR may seek to re-structure such Bulletin to reincorporate the spirit of the Proscribed Combination. Alternatively, HHS-OCR may seek to rescind its Bulletin entirely and, instead, promulgate a proposed rule consistent with the Administrative Procedure Act—involving a solicitation for and review of public comment before finalizing. Such proposed rule could include an updated definition of IIHI for purposes of illustrating the importance of regulating HIPAA covered entities using online tracking technologies.
As showcased by HHS-OCR’s novel interpretation and application of HIPAA, and the twists and turns that the various court challenges have taken, health care industry participants should remain apprised of new guidance, views, or positions taken by the numerous federal and state agencies that regulate, in various capacities, the health care industry. Further, given the ongoing wave of class action lawsuits focused on website tracking technologies under state wiretapping and telecommunications laws (See Latest Wave of Wiretap Class Actions Continues Despite Dismissals as Plaintiffs Try New Approaches and Surge of Privacy Class Actions in Arizona Targeting Email Pixel Tracking), vigilance and caution around implementation of website tracking should continue to be exercised.