Court vacates OCR’s unlawful expansion of HIPAA
On June 20, 2024, the US District Court for the Northern District of Texas issued an opinion vacating part of the US Department of Health and Human Services (HHS) Office for Civil Rights’ (OCR) online tracking technology guidance. Ruling in favor of the American Hospital Association, Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, (hereinafter referred to collectively as the plaintiffs), the court held that HHS exceeded its authority under HIPAA by establishing a rule that unlawfully expands the unambiguous definition of individually identifiable health information (IIHI) to include certain metadata collected through unauthenticated webpages.
Background
The court’s opinion stems from sub-regulatory guidance issued in December 2022 in which OCR addressed, for the first time, the use of online tracking technologies[1] by HIPAA covered entities and business associates (Original Bulletin).[2] On November 2, 2023,[3] the plaintiffs filed a lawsuit against HHS challenging the Original Bulletin on grounds that content contained therein exceeded HHS' statutory and regulatory authority, and that the Original Bulletin was substantively and procedurally defective under the Administrative Procedures Act (APA).
In their lawsuit, which we discussed here, the plaintiffs asserted, among other things, that the Original Bulletin unlawfully expanded the definition of individually identifiable health information (IIHI). This expansion applied to certain data collected through unauthenticated webpages. Specifically, the bulletin triggers additional HIPAA obligations in circumstances where an online technology connects an individual’s IP address with a visit to an unauthenticated public webpage that contains information about a specific health condition or healthcare provider (hereinafter referred to as the Proscribed Combination), even if regulated entities are not aware of the specific identity of the individual, or the intent for the individual’s visit to the unauthenticated webpage.
During the course of the plaintiffs’ lawsuit, OCR issued a revised bulletin on March 18, 2024, (Revised Bulletin).[4] OCR’s revisions were intended to “increase clarity for regulated entities and the public” regarding the online tracking technology policies that OCR released in its Original Bulletin.[5] The changes included in the Revised Bulletin generally focused on the collection and disclosure of IIHI through a HIPAA-regulated entity’s unauthenticated, public-facing webpages. However, the Revised Bulletin, which we discussed here, left regulated entities with outstanding questions and still maintained that the Proscribed Combination, in certain subjective circumstances, constituted IIHI.
In its defense, HHS asserted in the lawsuit that the court lacked jurisdiction on grounds that the guidance set forth in the bulletins did not qualify as a “final agency action” subject to judicial review. HHS further argued that even if the court did have jurisdiction, that the guidance in the bulletins is consistent with HIPAA’s definition of IIHI and is not “arbitrary and capricious” under the APA.[6]
The court’s analysis and holding
Siding with the plaintiffs, the court held that HHS’ “authority isn’t absolute,” and the Proscribed Combination set forth in the bulletins goes “too far”.[7]
Under HIPAA, the court stated that IIHI is,
“unambiguously defined as protected health information (PHI) that (1) ‘relates to’ an individual’s ‘past, present, or future physical or mental health or condition,’ the individual’s receipt of ‘health care,’ or the individual’s ‘payment for’ healthcare; and (2) ‘identifies the individual’ or provides ‘a reasonable basis to believe that the information can be used to identify the individual.’”(emphasis added).[8]
The court determined that the information restricted by the bulletins failed to satisfy both the “relates to” and “identifies” prongs of the definition of IIHI and, therefore, could not be classified as IIHI under HIPAA.[9]
Under the first prong, the court noted that the “IIHI definition explicitly states that the PHI in question must ‘relate[] to’ a listed category of information” in 42 U.S.C. §1320d(6).[10] However, the Revised Bulletin injected subjectivity into this analysis, and attempted to “require covered entities to perform the impossible” – knowing whether a user’s particular query on an unauthenticated webpage relates to a listed category of information.[11] That is, the bulletins would require regulated entities to know each visitor’s subjective motive for visiting the page in order to determine whether the information received by the regulated entity relates to a listed category. This, to the court, is plainly impermissible, and “to hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them.”[12]
The court also emphasized that the Revised Bulletin compounded the conundrum for regulated entities, stating:
“A user’s intent in visiting an [unauthenticated webpage] is unknowable. Thus, because HIPAA doesn’t mandate clairvoyance, [regulated entities] must act as if the Original Bulletin controls, i.e., as if the Proscribed Combination is per se IIHI.”[13]
Similarly, under the second prong, the court determined that the bulletins do not indicate how the Proscribed Combination identifies an individual or the individual’s PHI “without an unknowable subjective-intent element – an element not countenanced by the controlling statutory text.”[14] According to the court, while the plaintiffs may receive metadata from users, that “information cannot become IIHI based solely on the visitors’ subjective motive for vising the page….”[15] Rather, when a recipient receives the metadata contained in the Proscribed Combination, the recipient could not reasonably use such data to identify an individual or their health condition.
Therefore, as the Proscribed Combination contemplated by the bulletins does not relate to or identify an individual, nor is there a reasonable basis to believe that the Proscribed Combination could be used to identify an individual, the Proscribed Combination does not fit within the definition of IIHI under HIPAA. As a result, the court held that the Proscribed Combination constituting IIHI exceeds HHS’ authority and granted vacatur of that part of the bulletins.
Key takeaways
For many stakeholders and regulated entities, the holding and vacatur in this case will be seen as a welcome and rational result. However, the long-term consequences of the decision – including whether appellate courts will reach the same conclusion – remains to be seen.
Notably, the decision arguably leaves open an opportunity for OCR to narrowly construe the Proscribed Combination and, thus, to define as IIHI data gathered by tracking technologies deployed on interactive, unauthenticated webpages and website features. There are also a number of open and untested questions regarding the overall legality of OCR’s bulletins as promulgated by HHS.
For instance, while the court vacated the Proscribed Combination, it did not address whether the Proscribed Combination was defective procedurally or substantively under the APA. Further, the plaintiffs did not challenge whether HHS’ promulgation of the bulletins, which arguably include other novel interpretations of HIPAA and HHS’ own regulations, was lawful under the APA.
Although questions remain, we anticipate that HHS may continue to shine a spotlight on use of online tracking technologies by HIPAA-regulated entities as an enforcement priority, particularly in light of the Federal Trade Commission’s focus on this area. Therefore, as this area of law continues to develop, we encourage regulated entities to carefully evaluate their use of online tracking technologies.
DLA Piper continues to monitor developments involving the use of online tracking technologies, regulator enforcement in this space, and HHS’ response to the court’s decision in this matter.
For information about HIPAA and compliance obligations, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Healthcare sector, or Data Protection, Privacy, and Cybersecurity group.
[1] For further information on online tracking technologies, please see our previous client alert, dated December 15, 2022. See also Dep’t of Health & Human Servs., Office for Civil Rights, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates”, at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (last reviewed June 24, 2024).
[2] Press Release, U.S. Dep’t of Health & Human Servs., HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information (Dec. 1, 2022), at https://www.hhs.gov/about/news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html. See also our client alert, dated December 15, 2022, on the initial bulletin.
[3] Press Release, Am. Hosp. Ass’n, Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands (Nov. 2, 2023), at https://www.aha.org/press-releases/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands-their.
[4] Dep’t of Health & Human Servs., Office for Civil Rights, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates”, at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (last reviewed Mar. 18, 2024).
[5] Id. See also our client alert, dated April 10, 2024, for further information on the Revised Bulletin.
[6] We note that the court dismissed outright HHS’ jurisdiction claim and declined to address the legal procedure arguments brought forth by HHS. Am. Hosp. Ass’n, et al. v. Becerra, et al. No. 4:23-cv-01110-P, slip op. at 4 (N.D. Tex. June 21, 2024).
[7] Id. at 20.
[8] Id. at 21.
[9] Id. at 20–26.
[10] Id. at 23.
[11] Id. at 21.
[12] Id. at 23.
[13] Id. at 12-13.
[14] Id.
[15] Id. at 23-24.