Texas Judge Vacates OCR’s Website Tracking Technology Guidance
On Thursday, a federal judge in Texas ruled that the guidance issued by the HHS’ Office for Civil Rights on website tracking technologies was unlawful, ruling that OCR overstepped its authority when it issued the guidance. The judge ruled that metadata collected from an unauthenticated web page does not qualify as individually identifiable health information when combined with an IP address.
In 2022, the extent to which hospitals and health systems used tracking technologies became clear and OCR responded by issuing guidance on HIPAA and website tracking technologies in December 2022. These technologies, which include Meta Pixel code, are added to websites and provide beneficial functions; however, they also collect data on website users and transfer that information to third parties. The information collected may reveal diagnoses, reasons for appointments, health concerns, and other potentially sensitive information that can be tied to individuals by identifiers such as IP addresses. In the case of Meta pixel code, collected data is sent to Meta (Facebook) and may be made available to third parties, allowing targeted ads to be served to individuals. Many website users were unaware that their actions on the websites were being tracked and their information was being transferred to third parties. Many lawsuits have since been filed against healthcare providers that used these technologies.
OCR’s guidance on HIPAA and website tracking technologies essentially banned these tools unless authorizations were obtained from patients or the providers of the tools signed a business associate agreement. Many providers of these tracking tools do not sign business associate agreements with HIPAA-regulated entities. The American Hospital Association (AHA), Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, disagreed with the guidance and argued that prohibiting the use of these tools – which are used by many businesses on their websites – would have a negative impact on the services hospitals could provide to patients, and the ban was ultimately harmful to patients and communities.
After calling for OCR to retract the guidance, the hospital associations and health systems filed a lawsuit questioning the legality of the guidance. The legal action was supported by 17 state hospital associations and 30 hospitals and health systems. OCR’s position was that information collected on hospital websites was individually identifiable health information, and therefore covered by the HIPAA Rules, if it included identifying information such as IP addresses.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleged that the guidance was “a gross overreach” by OCR and it was issued without consultation with healthcare providers. Further, while OCR stated it was actively enforcing the guidance, the federal government’s own healthcare providers continued to use the tools on their own websites. The lawsuit sought the court to declare the guidance unlawful. In response to the lawsuit, OCR revised its guidance in March 2024, excluding certain types of website visits from meeting the criteria for disclosures prohibited by HIPAA although OCR’s position was largely unchanged, although accepted that the guidance did not have the force and effect of law and was non-binding.
U.S. District Judge Mark Pittman agreed with the hospital groups that OCR had overstepped its authority when issuing the guidance, as OCR’s interpretation that individually identifiable health information included metadata from a user’s searches of a public website was not supported by law and the guidance “was promulgated in clear excess of HHS’s authority under HIPAA.”
The ruling vacates OCR’s March 2024 guidance on HIPAA and tracking technologies on unauthenticated web pages. “To hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them. The Court is disinclined to set that precedent here,” wrote Judge Pittman in his ruling. Importantly, the ruling does not change OCR’s guidance on tracking technologies on authenticated web pages such as patient portals.
“For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text,” said AHA General Counsel, Chad Golder. “As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.” OCR has yet to comment on the ruling.
