On April 11, 2024, the American Hospital Association (AHA) and its Co-Plaintiffs responded to legal arguments by the U.S. Department of Health and Human Services (HHS) concerning certain restrictions on the use of third-party tracking technologies on hospital websites.
The response was contained in a brief filed in the Federal case brought by the AHA on November 2, 2023, seeking the broader ability to use third-party tracking technologies on public facing unauthenticated web pages of hospitals and other healthcare providers.
CASE BACKGROUND
More specifically, the suit challenges a Bulletin issued by the HHS Office for Civil Rights (OCR) in December of 2022 and a subsequent Revision of the Bulletin that the AHA claims constitutes a new rule that exceeds the proper scope of the HIPAA Privacy Rule.
At issue is when an online technology connects an individual’s IP address with a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers, which the AHA refers to as the Proscribed Combination.
The AHA and HHS have taken different positions over whether and under what circumstances such a combination constitutes Individually Identifiable Health Information (IIHI) and thus would become subject to HIPAA’s restrictions.
COMPETING INTERESTS
The AHA has asserted that the third-party technologies in question allow beneficial information-sharing such as in the following instances:
- Analytical tools can convert web users’ interactions with hospital webpages into critical data, allowing them to “more effectively allocate their medical and other resources;”
- Video technologies help educate the community about particular health conditions, among other uses;
- Translation technologies help non-English speakers “access vital healthcare information;” and
- Map and location technologies can provide better information about where healthcare services are available.
HHS has stressed the potential dangers related to privacy breaches and has stated that an “impermissible disclosure of an individual’s [protected health information] not only violates the Privacy Rule but also may result in a wide range of additional harms to the individual or others,” such as “identity theft, financial loss, discrimination,” and even potentially physical harm.
METADATA v. “SUBJECTIVE INTENT”
In its brief filed on March 21, 2024, HHS had asserted that among the possible scenarios involving the Proscribed Combination, only those directly related to an individual’s own health would constitute IIHI and trigger restrictions. (More specifically, “an individual’s past, present or future health, healthcare, or payment for health care.”)
It stated that in contrast, visits of a general nature are permissible under the Revised Bulletin, stating that, “the mere fact that an online tracking technology connects [an] IP address … with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination to constitute IIHI.”
In response, the AHA has now argued that it is not easy to determine whether an individual’s visit to a webpage was general in nature or related to their own health as metadata is incapable of capturing such intent. It says that for this reason, a subjective standard has been created.
Its brief states that at the most, “the website metadata comprising the Proscribed Combination shows that the page owner “received” “information” revealing an identifiable individual visited a health-related page.” It further states that, “that alone does not show why the individual visited the page and thus discloses nothing about the individual’s own health.”
The AHA argues that rather than look at the motivation of the visitor, the key test should be whether an individual actually “receives” information related to their health from the page as revealed by metadata.
It says that this is because under the statutory definition of IIHI there is an element requiring that the information relating to the individual be “created or received” by the covered entity. The reasoning here is that the metadata is capable of showing such receipt, while the subjective intent of an individual cannot.
According to the AHA, HHS provides no explanation as to how a visit to a health-related webpage becomes IIHI under an individual’s subjective reason for visiting the page, claiming that this is the “key interpretive issue.” The AHA’s brief states that HHS “offers no textual or other analysis of how “information” that is concededly not IIHI … somehow becomes IIHI based on an extrinsic fact (the individual’s subjective reason for visiting the page) that the Revised Bulletin does not require covered entities to have “received” at all.”
ADDITIONAL ARGUMENTS
In its brief, the AHA also makes additional arguments such as that the use of a subjective standard would upset the balance struck by the HIPAA Privacy Rule, saying that there would be an overemphasis on privacy while the need to be able to share public health information would be hindered. HHS has previously countered this argument by saying that even when the Privacy Rule is triggered, it is not that third parties providing technology for unauthenticated web pages are prohibited from doing so, but rather they are simply required to enter into a business associate agreement with the healthcare provider and otherwise follow the requirements of the Rule.
The AHA’s brief also consists of arguments based on legal procedure such as whether the court has valid jurisdiction and related to this, whether the Bulletin constitutes a “final agency action,” which would require notice-and-comment rulemaking under the Administrative Procedure Act.
According to an Order of the Court, the Parties must submit a Joint Status Report on or before May 10, 2024, indicating whether “the Parties are still pursuing settlement of this case.”
Categories: DATA PROTECTION & PRIVACY, Uncategorized
Leave a Reply