AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies
The American Hospital Association (AHA), Texas Hospital Association, United Regional Health Care System, and Texas Health Resources have filed a lawsuit against Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’ Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over the December 2022 guidance issued by OCR on website tracking technologies.
OCR issued guidance for HIPAA-regulated entities on the use of third-party tracking technologies on public-facing websites and applications following revelations that these tools were disclosing the individually identifiable information of website visitors to third-party companies such as Meta (Facebook), Google, social media platforms, and other third parties. The information disclosed by these tools, which include Meta Pixel and Google Analytics code, could potentially include health information, depending on the interactions of users on the websites and apps where the code is used.
A study of the websites of the 100 top hospitals by The Markup found one-third had used these tracking tools on their websites without obtaining consent from website visitors. A more comprehensive study of hospitals that was published in Health Affairs, found that 99% of the 3,747 U.S. hospitals studied were using these tools on their websites. Several of the hospitals reported the use of these tools as data breaches, including Advocate Aurora Health, Novant Health, WakeMed Health, and Cerebral, Inc., some of which involved the data of millions of patients. Many lawsuits have since been filed against healthcare providers in response to the use of these tools. Advocate Aurora Health recently settled Pixel-related litigation for $12.225 million.
In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools and then published those letters – which name the organizations involved – in September 2023, signaling both OCR and the FTC are actively enforcing the guidance. The AHA has publicly criticized OCR for its position on tracking technologies. In the AHA’s response to Senator Bill Cassidy’s request for information on healthcare data privacy and HIPAA, the AHA called for the HHS to drop its new website tracking technology rule, which it claimed harmed hospitals and negatively affected patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The AHA has now taken the issue a step further with legal action. The AHA claims that it had no alternative other than to take legal action due to several months of unsuccessful attempts to communicate its concerns to the HHS. The lawsuit was filed in the U.S. District Court for The Northern District of Texas Fort Worth Division and alleges the new rule is unlawful, and claims that the HHS is actively enforcing its new rule against hospitals but the federal government’s own healthcare providers are continuing to use the prohibited tracking technologies on their websites.
Lawsuit Seeks Court Order Preventing OCR from Enforcing Tracking Technology Guidance
The lawsuit alleges the decision to class the metadata collected and transmitted by tracking technologies as individually identifiable health information subject to HIPAA is, “a gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it.” The AHA explains that “the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.” The lawsuit calls for the court to order OCR to set aside the Bulletin as it provides that the information collected by these technologies is individually identifiable health information (IHII), when the information collected by the technologies does not constitute IHII under the statutory and regulatory definition, and permanent injunctive relief prohibiting OCR from enforcing its rule to prevent hospitals and health systems from being unlawfully penalized.
The AHA’s position is that website tracking technologies that collect information such as IP addresses are critical to the function of websites and apps, and many web tools are rendered ineffective without that information, including analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps, to name only a few. By prohibiting tracking technologies, these vital website tools will no longer feature on hospital websites, and that ultimately harms the patients that OCR’s rule seeks to protect. “The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites,” said Rick Pollack, AHA President and CEO. “We cannot understand why HHS created this ‘rule for thee but not for me.’”
While the OCR guidance is well-intentioned, expanding HIPAA to cover information collected via website interactions is viewed as a step too far by many healthcare organizations that have relied on these tracking tools for improving their websites, apps, and services for the communities they serve. “The Rainer case is an attempt to bring HIPAA back to reality when it comes to websites by blocking enforcement of that guidance. OCR’s December 2022 Guidance threatens to expand HIPAA to every click on every hospital website available to the public. Lots of people access hospital websites who are not patients (jobseekers, researchers and educators, hospital vendors, etc.),” Paul Bond, litigation attorney at Holland & Knight, explained to The HIPAA Journal. “Hospitals understand HIPAA protects electronic medical records stored in password-protected patient portals. To apply these same rules to everything hospital-related online is well-meaning but deeply unserious and trivializes the goals of HIPAA. While no one can predict how a court will rule, the AHA makes a very solid case that the Guidance is arbitrary and capricious. It certainly seems that way to healthcare providers who operate these websites day to day, who are left in the position of having to operate in an online world without the tools commonly available to do so.”
The problem with tracking technologies on hospital websites is the data collected is being used to serve targeted adverts based on interactions on hospital websites. Meta’s data sharing practices are being scrutinized and several lawsuits have been filed against Meta over the use of its Pixel tool on hospital websites. Meta maintains that the hospitals that use the Meta Pixel tool are to blame for any transfers of sensitive data, which violate its terms and conditions. Meta claims to have processes in place to search for and remove any data sent via its Pixel tool that Meta is not authorized to receive, to prevent that information from being provided to advertisers, although the extent to which that occurs has been questioned.
One such lawsuit, John Doe v. Meta Platforms Inc., which was filed in the U.S. District Court, Northern District of California, in June of 2022, alleges Meta knew, or should have known, that its Pixel tool was being improperly used on the websites of more than 600 hospital systems and should have done more to address the issue. Since Meta is not a business associate and does not provide any business associate functions, Meta has not violated HIPAA, but the lawsuit claims that when Meta allowed hospital website data to be provided to advertisers and be used to display targeted ads on Facebook, Meta violated state privacy and medical confidentiality laws.
