Texas has ruled in favor of the American Hospital Association (AHA) and its co-plaintiffs, declaring that the Department of Health and Human Services (HHS) overstepped its authority by issuing unlawful "bulletins" restricting the use of standard third-party web technologies on healthcare providers' public-facing websites. This decision not only upholds the rights of hospitals and health systems to leverage data-driven tools but also serves as a powerful check on government overreach.
The case centered around HHS's attempt to limit healthcare providers' ability to utilize common online tracking technologies, such as those that capture IP addresses, on portions of their public-facing websites. The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, had filed a lawsuit challenging the legality of these HHS-imposed restrictions, which they argued were masquerading as mere guidance but effectively amounted to unlawful rules.
In his 30-page ruling, United States District Court Judge Mark Pittman unequivocally sided with the healthcare plaintiffs, stating that the HHS bulletins were promulgated in clear excess of the agency's authority under the Health Insurance Portability and Accountability Act (HIPAA). The judge emphasized that the case was not merely about "HIPAA compliance" or "the proper nomenclature for PHI in the digital age," but rather a fundamental issue of government overreach and the limits of agency power.
The dispute between the healthcare industry and HHS over online tracking technologies had been simmering for over a year. In March 2024, HHS's Office for Civil Rights (OCR) issued updated guidance for HIPAA-covered entities and business associates on the use of these technologies, which the AHA had contended was still unlawful. The association argued that the HHS bulletins had upended hospitals' and health systems' ability to share health information with their communities and analyze their website traffic to enhance access to care and public health.
At the heart of the matter was the HHS's attempt to restrict healthcare providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing websites. The agency claimed that these technologies could potentially expose protected health information (PHI) and thus violate HIPAA's privacy and security requirements.
However, the court rejected this argument, stating that the "Proscribed Combination" (the HHS term for the use of these technologies) was not a trivial matter for covered entities diligently attempting to comply with HIPAA. The judge stated that while the issue may have seemed esoteric to HHS, it was a big concern for healthcare providers seeking to serve their communities effectively.
AHA General Counsel Chad Golder expressed the association's satisfaction with the court's decision, stating, "For more than a year, the AHA has been telling the Office for Civil Rights that its 'Online Tracking Bulletin' was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have 'interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA's text.'"
This ruling has far-reaching implications for the healthcare industry, by striking down HHS's unlawful restrictions on online tracking technologies, the court has:
The court's ruling represents a victory for healthcare providers, who have long advocated for their right to use necessary data-driven tools to better serve their communities. The decision also serves as a broader check on government overreach, proving the necessity of maintaining a balance between regulatory authority and the practical needs of the healthcare sector.