American Hospital Association sues HHS over HIPAA online tracking technology bulletin
On November 3, 2023, the American Hospital Association (AHA), along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (the Plaintiffs), filed a lawsuit against the Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’s Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over OCR’s December 2022 Bulletin addressing the use of online tracking technologies by HIPAA Covered Entities and Business Associates (the Bulletin).
The Plaintiffs claim that OCR used the Bulletin to unlawfully expand the definition of individually identifiable health information (IIHI) to include data, such as internet protocol (IP) addresses, collected from unauthenticated public-facing webpages.[1]
The lawsuit follows prior engagement from the AHA after the Bulletin’s initial release. In May 2023, the AHA expressed serious concerns about the scope of the guidance in an open letter to OCR. The AHA specifically asserted, among other items, that OCR should suspend or amend the Bulletin immediately on grounds that the guidance erroneously expanded the scope of HIPAA to apply to IP addresses regardless of context.[2] The AHA further stated that OCR should seek public comment via a Request for Information or notice-and-comment rulemaking rather than “issuing sub-regulatory guidance that did not benefit from any input by” HIPAA-regulated entities.[3] The AHA has also requested that Congress urge OCR to retract the Bulletin.[4]
Since issuing the Bulletin, OCR has shown no signs of rescinding or amending it. Not only has OCR confirmed that it has initiated investigations nationwide concerning the use of online tracking technologies, it has also issued warning letters to providers. In July 2023, OCR and the FTC jointly notified 130 hospital systems and telehealth providers that they may be deploying online tracking technologies on their websites or mobile apps and collecting health information in violation of the HIPAA. The agencies publicly released the letters in September.
According to the Plaintiffs, OCR’s actions reflect intent to use their overbroad interpretations of IIHI set forth in the Bulletin as a basis for enforcement. The AHA, therefore, determined that it was necessary to file suit on behalf of its members to prevent OCR from unlawfully penalizing hospitals.[5] Although the lawsuit is focused on hospitals, the outcome would effectively impact all HIPAA covered entities and business associates.
Background
Online tracking technologies are those technologies that companies use to collect and analyze information about how users interact with websites and mobile applications. These technologies include the use of scripts or codes to gather information about users as they interact with the website or mobile application, such as web beacons, tracking pixels, session replay scripts, and fingerprinting scripts. Online tracking technologies assist website operators to perform analytics, display specialized information, and advertising, among others.[6]
As we reported in our December 15, 2022 and August 1, 2023 alerts, the Bulletin sets forth OCR’s interpretation of HIPAA as it relates to the use of these online tracking technologies. Specifically, the Bulletin provides that:
- Information including, but not limited to, medical record number, home or email address, date of appointment, IP address, and geographic location qualifies as IIHI
- Data qualifies as IIHI even if an individual does not have an existing relationship with the HIPAA-regulated entity at the time of collection, and even if the IIHI, such as an IP address or geographic location, does not include specific treatment or billing information. According to OCR, “[t]his is because, when a regulated entity collects individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (ie, it is indicative that the individual has received or will receive healthcare services or benefits from the covered entity)”[7]
- When IIHI is collected by tracking technology vendors through online tracking technologies deployed on a HIPAA regulated entity’s website or mobile application, the IIHI is generally protected health information (PHI)
- HIPAA-regulated entities may only use online tracking technologies in compliance with the HIPAA Privacy Rule. Vendors of these tracking technologies qualify as business associates if they collect PHI from the deployment of such technologies on user authenticated pages (ie, pages that require a log-on) and from unauthenticated pages. Examples of unauthenticated pages include but are not limited to a login page, user registration page, pages that address specific symptoms or conditions, and pages that permit individuals to search for doctors or schedule appointments without entering credentials
It is OCR’s extension of the definition of IIHI to data collected from unauthenticated pages that is the basis for the Plaintiffs’ allegations in the lawsuit.
Lawsuit summary
In the lawsuit, the Plaintiffs allege that the Bulletin’s expansive definition of IIHI (1) exceeds OCR’s statutory authority under HIPAA and violates the First Amendment,[8] and (2) violates the Administrative Procedure Act as it is arbitrary and capricious (contrary to 5 USC § 706(2)(A)) and did not undergo proper notice and comment rulemaking (contrary to 5 USC § 553).
The Plaintiffs argue that OCR inappropriately classify as IIHI, certain data collected through an online technology that connects (1) an individual’s IP address with (2) a visit to a publicly accessible webpage that does not require or request login information for user authentication and that addresses specific health conditions or health providers (the “Proscribed Combination”).
The Plaintiffs do not challenge the Bulletin’s classification of IIHI for information collected through patient portals or other password-protected areas of a hospital’s website. The Plaintiffs have requested that (1) OCR’s Bulletin defining the Proscribed Combination as IIHI be set aside, (2) the court renders a declaratory judgment that the Proscribed Combination does not constitute IIHI under the statute or regulation, and (3) the court mandates a permanent injunction prohibiting OCR from enforcing its interpretation of the Proscribed Combination against hospital plaintiffs and other members of the AHA.
Lawsuit outcome far from certain
The Bulletin arguably marks a significant shift in how many HIPAA-regulated entities have understood the scope of HIPAA, particularly as it relates to data collected from their public-facing unauthenticated webpages. The extensive use of website analytics and online tracking technologies, including by the federal government’s own covered entities, tends to support this change. Notably, one district court recently concluded that “[t]he interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear” and that this type of data does not “in the least bit fit into” the definition of IIHI.[9]
Whether other courts would reach the same conclusion is uncertain. A central issue in this lawsuit will be whether the Bulletin should have been subject to notice-and-comment rulemaking. However, no matter the outcome, all HIPAA-regulated entities, in addition to hospitals, are likely to be impacted.
This continues to be an evolving space in health privacy law, and we will continue to monitor developments arising from this lawsuit and in the space more generally. We encourage regulated entities to evaluate their use of website analytics and online tracking technologies and consider their existing obligations under HIPAA in light of the Bulletin. As of the date of this alert, OCR has not publicly responded to the suit.
For information about HIPAA and compliance obligations, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Healthcare industry or Data Protection, Privacy and Cybersecurity groups.
[1] 45 CFR § 160.103 defines individually identifiable health information as “information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” While IP addresses are included as identifiers that must be removed from a PHI data set in order for the data set to be “de-identified” under HIPAA’s Safe Harbor Method, the Bulletin is the first time that OCR has suggested that an IP address alone, without further connection to an individual’s past, present or future physical or mental health or condition, provision of healthcare to the individual, or payment for the provision of healthcare to the individual would be deemed to be PHI. See 45 C.F.R. § 164.514(b)(2)(i)(O).
[2] Ltr. from Melinda Reid Hatton, Gen. Counsel and Sec’y, Am. Hosp. Ass’n, to Melanie Fontes Rainer, Dir., OCR (May 22, 2023).
[3] See id.
[4] Ltr. from Stacey Hughes, Executive Vice President, Am. Hosp. Ass’n to Senator Bill Cassidy, M.D. Senate Committee on Health, Education, Labor and Pensions (September 28, 2023).
[5] Press Release, Am. Hosp. Ass’n, Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands (Nov. 2, 2023), at https://www.aha.org/press-releases/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands-their.
[7] Dep’t of Health & Human Servs., Office for Civil Rights, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates”, at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html (last reviewed Dec. 1, 2022). Notably, this interpretation by OCR ignores the fact that individuals go to websites, including hospital and healthcare provider websites, for reasons other than seeking treatment; for example, for research or employment purposes.
[8] The Plaintiffs allege that interpreting the definition of IIHI to include the Proscribed Combination violates the First Amendment because it would restrict protected speech on information concerning visitors to a publicly available website.
[9] See Kurowski v. Rush Sys. for Health, No. 22 C 5380, 2023 WL 4707184, at *4 (N.D. Ill. July 24, 2023).