On June 20, 2024, the Court issued its judgment in the American Hospital Association (AHA)’s case against the Department of Health and Human Services (HHS) concerning the use of third-party online tracking technologies on unauthenticated, public-facing webpages of healthcare providers. In doing so, it declared HHS’s attempt to subject such use to the HIPAA Privacy Rule (Rule)’s requirements as being unlawful and vacated the relevant portion of HHS’s applicable Bulletin.
While AHA and its co-plaintiffs in the case acknowledged that, as healthcare providers, they were required to protect the “privacy of people who seek care and healing” and were not allowed to “use or disclose protected health information” except as permitted by the Rule, they had filed the suit claiming that HHS had taken a position beyond the scope of the Rule when it came to the specific instance of the above-mentioned use of third-party tracking technologies on unauthenticated public-facing webpages of healthcare providers.
TRACKING TECHNOLOGIES & THE PROSCRIBED COMBINATION
According to HHS, online tracking technologies “are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications.” To address their potential privacy risks, in December 2022, HHS had issued a Bulletin entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”
As mentioned above, the AHA, on behalf of its member hospitals, took issue with a specific portion of that Bulletin, which it labeled the Proscribed Combination. As stated throughout the case, including the Court’s Opinion, it involves circumstances where “an online technology connects (1) an individual’s IP address with (2) a visit to [an Unauthenticated Public Webpage] addressing specific health conditions or healthcare providers.” Such circumstances are distinct from healthcare provider webpages that require patients to enter login information for user authentication.
POSITIONS OF THE PARTIES ON KEY POLICY & TECHNICAL ISSUES
Extent of Harm Resulting from Privacy Breaches
HHS
According to a legal brief filed by HHS, the potential harm resulting from privacy breaches can take the form of “unwanted intrusion, identity theft, and embarrassment,” which can be severe and impede the provision of health care. It takes the position that such potential harm warrants the application of the HIPAA Privacy Rule’s requirements when it comes to an individual’s visit to unauthenticated public webpages of healthcare providers if the purpose of the visit is directly related to an individual’s own health as defined by the Rule.
AHA AND CO-PLAINTIFFS
The AHA and its co-plaintiffs note in their Complaint that as healthcare providers falling under the scope of the HIPAA Privacy Rule, their members must protect the “privacy of people who seek care and healing,” and “may not use or disclose protected health information” except as permitted by the regulations.
However, they claim that the visits to healthcare providers’ websites at issue fall outside the scope of the HIPAA Privacy Rule and take the position that the benefits of the positive uses of tracking tools, such as set forth below, outweigh the possible harm.
Information Revealed During Visits to Unauthenticated Public Webpages: Metadata vs. Subjective Intent
HHS
After the lawsuit was filed, HHS issued a Revised Bulletin on the use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates and narrowed the scope of scenarios under which the HIPAA Privacy Rule would apply to the Proscribed Combination.
Specifically, it stated that among visits by individuals to unauthenticated public webpages of healthcare providers, only those directly related to an individual’s own health would be regulated. This included “an individual’s past, present, or future health, healthcare, or payment for healthcare.” In contrast, visits to pages of a general nature did not trigger the Rule.
AHA AND CO-PLAINTIFFS
AHA and its co-plaintiffs argued that such ‘subjective’ intent – distinguishing between a general-purpose visit, or a visit directly related to one’s own health – is not readily determinable.
They stated in a brief filed with the Court on March 21, 2024, that from a technical standpoint, metadata is incapable of capturing such intent. More specifically, they stated that “the website metadata comprising the Proscribed Combination shows that the page owner “received” “information” revealing an identifiable individual visited a health-related page,” and that “that alone does not show why the individual visited the page and thus discloses nothing about the individual’s own health.”
They took the position that rather than look at the motivation of the visitor, the key test should be whether an individual actually “receives” information related to their health from the page they visited, as revealed by metadata. This was particularly said to be true because, under the statutory definition of IIHI, there is an element requiring that the information relating to the individual be “created or received” by the covered entity.
Public’s Need for Accurate Health Information and Information for the Delivery of Healthcare
AHA AND CO-PLAINTIFFS
The AHA and its co-plaintiffs note in their Complaint that there is a “long honored balance HIPAA strikes,” and that specifically, the “privacy needs of people who seek care and healing” must be weighed against the need to share “accurate health information with the public” and combat health misinformation.
They claim that beneficial information-sharing efforts include the following, which rely on third-party technologies used to enhance websites:
- Analytical tools that can convert web users’ interactions with hospital webpages, into critical data, allowing them to “more effectively allocate their medical and other resources;”
- Video technologies that help educate the community about particular health conditions, among other uses;
- Translation technologies that help non-English speakers “access vital healthcare information;” and
- Map and location technologies that provide better information about where healthcare services are available.
HHS
HHS acknowledged in its Revised Bulletin that insights gained by healthcare providers from tracking technologies “could be used in beneficial ways to help improve care or the patient experience, improve the utility of webpages and apps, or allocate resources.” It provides as an example that “hospitals might use data analytics to determine how many IP addresses accessed webpages providing information about COVID-19 vaccines or treatment in a particular area, which in turn could help the hospitals make decisions about how to allocate their medical and other resources.”
However, it emphasized the potential misuse of tracking technologies, providing the examples of misinformation, identity theft, stalking and harassment.
Ultimately, HHS posited that the potential harms from privacy violations outweighed the benefits when it came to visiting unauthenticated public webpages for health-related visits (as opposed to general visits).
It must be noted that HHS did not seek to prohibit the use of tracking technologies on unauthenticated public websites, but to ensure their safe use by applying the requirements of the HIPAA Privacy Rule, such as requiring third-party vendors to enter into Business Associate Agreements.
LEGAL ISSUES
The legal issues in this matter center around the scope of the HIPAA Privacy Rule, and whether the Bulletin and Revised Bulletin concerning online tracking technologies issued by HHS exceed the Rule’s proper scope. The issues asserted by the AHA and its Co-Plaintiffs in their Complaint are noted more fully in previous coverage by the Digital Law Group, as has the position provided by HHS in response.
COURT DECISION
On June 20, 2024, the Court issued a Final Judgment declaring the Proscribed Combination as being unlawful. More specifically, it found that it was “promulgated in excess of HHS’s authority” under HIPAA. As a result, it vacated the portion of the HHS Revised Bulletin on Online Tracking technologies dated March 18, 2024, that had the Proscribed Combination as its subject matter.
In its related Opinion and Order of the same date, the Court explained that it disagreed with HHS’s position that the Revised Bulletin was a ‘policy statement’ that “merely reiterates the [HIPAA] Privacy Rule’s longstanding restrictions.” It found that to the contrary, it adopted a “definitive interpretation of the IIHI definition that governs the scope of covered entities’ duties,” and created new legal rights and obligations. Most significantly, it noted that HHS had not previously issued a pronouncement concerning the Proscribed Combination.
Subsequent to the Court’s ruling, HHS updated its Bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates to reflect the June 20, 2024, order. As of this writing, the Bulletin also includes a note saying that “HHS is evaluating its next steps in light of that order.”
Categories: DATA PROTECTION & PRIVACY
Leave a Reply