OCR Drops Appeal in AHA Tracking Technology Case
Ten days after filing its notice to appeal a District Court ruling that vacated its tracking technology guidance, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) decided not to proceed and officially withdrew its notice of appeal. The decision by the HHS to voluntarily drop the appeal will provide HIPAA-regulated entities with clarity over the use of website tracking technologies, which can continue to be used on unauthenticated web pages without the risk of future penalties for HIPAA violations.
“The American Hospital Association is pleased that the Office for Civil Rights has decided not to appeal the district court’s decision vacating the new rule adopted in its Online Tracking Technologies Bulletin,” said American Hospital Association (AHA) General Counsel, Chad Golder. “As the AHA repeatedly explained to OCR —both before and after OCR forced the AHA to file its lawsuit — this rule was a gross overreach by the federal government, imposed without any input from healthcare providers or the general public.” Golder went on to say, “Now that the Bulletin’s illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate health care information with the communities they serve without the fear of federal civil and criminal penalties.”
August 29, 2024: OCR to Appeal District Court Ruling in AHA Tracking Technology Case
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) filed a notice of appeal against the decision of a U.S. District Court judge in a lawsuit filed by the American Hospital Association (AHA) over OCR’s tracking technology guidance.
The lawsuit – American Hospital Association (AHA), et al. v. Xavier Becerra, et al – alleged that the guidance issued by OCR on the use of tracking technologies such as pixels on the websites of hospitals and other HIPAA-covered entities was unlawful and that OCR exceeded its authority when issuing the guidance.
Tracking technologies are snippets of code that are added to websites to track users as they navigate the website. They are used to collect and analyze information about how users interact with websites, such as the pages they visit, the time spent on the site, how the user navigated to the website, and where they went when they left the website. The providers of these tracking tools, which include Meta and Google, are typically sent the data collected by their tracking tools.
The problem with these tools is that they may collect health information. That information could include details of appointments, health concerns, and other potentially sensitive data, which could be tied to an individual if they were signed in to their Google or Facebook account at the time, or via their IP address. Since the information can be tied to an individual, OCR considers that information individually identifiable health information (IIHI). In an OCR bulletin issued on December 1, 2022, OCR confirmed that the information collected via these tools is generally considered protected health information (PHI). As such, the third-party provider of the code would need to sign a business associate agreement or patient authorizations would be required prior to the use of those tools.
OCR updated its guidance on March 18, 2024, clarifying that not all information collected by these tools is PHI. OCR confirmed that for the information to be PHI, it must be related to an individual’s past, present, or future health, health care, or payment for health care, so the collection of an IP address and visit data may not necessarily make that information PHI.
The legality of the bulletin was challenged by the AHA and others and a District Court judge for the Northern District of Texas sided with the plaintiffs and partially vacated OCR’s tracking technology guidance. The guidance was vacated to the extent it provides that HIPAA obligations are triggered in circumstances where an online technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or healthcare providers.
The ruling means an IP address combined with visit data from an unauthenticated web page does not constitute PHI, therefore the tracking tools may be used. The ruling does not vacate other parts of the guidance. Tracking tools may not be used on authenticated webpages such as patient portals unless the disclosure of PHI is permitted by the HIPAA Privacy Rule and a valid business associate agreement is in place or authorizations have been obtained.
On June 26, 2024, OCR published a response to the decision on its website clarifying what the ruling means for covered entities. OCR also stated in that post that it is considering its next steps. OCR has now filed a notice of appeal indicating it is seeking to have the District Court’s decision overturned. The next step will likely be to file an opening brief in the US Court of Appeals for the Fifth Circuit in which OCR will set forth its arguments as to why the Court’s decision should be overturned. Until there has been a ruling by the US Court of Appeals overturning the District Court decision, the District Court Ruling will remain in place.
