Home DATA ACCESS & INTEROPERABILITY AHA Files Suit Seeking to Preserve the Ability of Hospitals to Use Third Party Tracking Technologies on Public Webpages

AHA Files Suit Seeking to Preserve the Ability of Hospitals to Use Third Party Tracking Technologies on Public Webpages

By on ( 1 )

The American Hospital Association (AHA) is challenging a healthcare data privacy Bulletin issued by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS). The Bulletin in question prohibits HIPAA-regulated entities from using third-party tracking technologies on their webpages that “impermissibly disclose” Individually Identifiable Health Information, or IIHI, as part of a “Proscribed Combination.” The AHA defines the “Proscribed Combination” as the when, “(1) an individual’s IP address [is combined] with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers.” On November 2, the AHA, together with the Texas Hospital Association and two Texas-based hospital systems, filed a complaint against HHS, in the U.S. District Court for the Northern District of Texas.

The AHA and their co-plaintiffs are seeking the following relief:

  1. Setting aside the portion of the Bulletin as to the “Proscribed Combination”
  2. Declaratory judgment that the Proscribed Combination does not constitute IIHI
  3. Prevention of OCR enforcement of the Proscribed Combination as constituting IIHI

Background & Benefits of Third-Party Technologies according to Plaintiffs

The Complaint notes that as healthcare providers falling under the scope of the HIPAA Privacy Rule, the AHA and its co-plaintiffs must protect the “privacy of people who seek care and healing,” and, “may not use or disclose protected health information” except as permitted by the regulations. 

The Complaint also makes note of what it describes as a “long honored balance HIPAA strikes,” in light of the need to share “accurate health information with the public,” and combat health misinformation.

Among beneficial information-sharing efforts, the Complaint cites the following uses of third-party technologies used to enhance hospital websites:

  • Analytical tools that can convert web users’ interactions with hospital webpages into critical data, allowing them to “more effectively allocate their medical and other resources;”
  • Video technologies that help educate the community about particular health conditions, among other uses;
  • Translation technologies that help non-English speakers “access vital healthcare information;” and
  • Map and location technologies that provide better information about where healthcare services are available.

The Proscribed Combination & Potential Harm from Privacy Rule Violations

As the Complaint alleges that such third-party technologies, “typically rely on a visitor’s IP address to function,” the above balance and beneficial information-sharing efforts are said to be put at risk by OCR’s enforcement of the Proscribed Combination as IIHI. 

As stated above, a “Proscribed Combination” is said to be the product of an Internet user connecting their IP address to Unauthenticated Public Webpages, that address specific health conditions or healthcare providers, with such webpages being ones that do not require an individual to “enter login information for user authentication.” (It can be noted that the Complaint does not take issue with instances when IP addresses connect to webpages that require user authentication.)

Examples of IIHI that have been cited by OCR include the following:

  • an individual’s medical record number;
  • home or email addresses; 
  • dates of healthcare appointments;
  • IP addresses; 
  • geographic location;
  • medical device IDs; and
  • any unique identifying codes.

Although it didn’t use the term itself, OCR first took the position that a Proscribed Combination constitutes IIHI in its December 2022 Bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” 

There, it provided the example that even as to an Unauthenticated webpage of a regulated entity, if it addresses “specific symptoms of health conditions,” or, “permits individuals to search for doctors or schedule appointments,” while using tracking technologies that can “collect an individual’s email address and/or IP address … to search for available appointments with a health care provider,” the HIPAA Rules apply. It also provided a similar example applicable to mobile apps. 

The Bulletin describes tracking technologies as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app,”  and noted the potential dangers resulting from breaches of the Privacy Rule, stating that an “impermissible disclosure of an individual’s [protected health information] not only violates the Privacy Rule but also may result in a wide range of additional harms to the individual or others,” such as “identity theft, financial loss, discrimination,” and even potentially physical harm.

Claims

The Complaint takes the position that the extension of the IIHI definition in the Bulletin to reach the Proscribed Combination is novel, changing healthcare providers’ obligations under the Privacy Rule and that compliance has resulted in significant costs for hospitals and association members.

Under Count One, the plaintiffs take the position that the Bulletin’s rule exceeds the authority of OCR and is contrary to law.  More specifically, it states that the statutory definition of IIHI confines it to information related to an individual’s “past, present, or future physical or mental health or condition,” receipt of healthcare, or payment for healthcare, while either identifying the individual or providing a reasonable basis to “believe that the information can be used to identify the individual.” According to the AHA, the Proscribed Combination does not satisfy this definition as it lacks a reasonable basis to identify an individual’s health-related visit to an Unauthenticated webpage. It also claims that First Amendment issues are raised by the rule.

Under Count Two of the Complaint, the plaintiffs allege that the rule constitutes arbitrary and capricious rulemaking under 5 U.S.C. § 706(2)(A), and that OCR “provided no reasoning for its assertion that the IIHI definition is satisfied by the Proscribed Combination, creating a novel rule with substantial consequences for regulated entities,

Under the Third Count, the Complaint alleges that OCR failed to undertake notice-and-comment rulemaking, as required by the Administrative Procedures Act (APA) and “promulgated [the rule] in a substantively and procedurally unlawful manner.”

Next steps

In an Order filed on December 11, 2023, the Court set the date for plaintiffs’ motion for summary judgment to be filed on or before January 5, 2024, which they have complied with. 

The government’s opposition and cross-motion for summary judgment, which will shed further light on the government’s views and arguments on behalf of them, must be filed on or before January 30, 2024.

The outcome of this legal battle will likely have significant implications for how healthcare providers can use technology to share information with the public, setting an important precedent when it comes to data privacy in the healthcare industry.

Categories: DATA ACCESS & INTEROPERABILITY, DATA PROTECTION & PRIVACY

Tags: , , , ,

1 reply

Trackbacks

  1. Online Tracking in Healthcare: Court Sides with Hospitals in Dispute with HHS – Digital Healthcare Law

Leave a Reply

Discover more from Digital Healthcare Law

Subscribe now to keep reading and get access to the full archive.

Continue reading