In a recent court decision, the U.S. District Court for the Northern District of Texas decided that a part of the Health and Human Services (HHS) guidance on web-tracking was beyond what the law allows.
In a detailed ruling by the U.S. District Court for the Northern District of Texas, Judge Mark T. Pittman found that the HHS Office for Civil Rights had overstepped its legal boundaries. The case centered on a specific part of HHS's guidance concerning web-tracking technologies, introduced in December 2022 and later revised in March 2024.
This guidance tried to define when HIPAA rules would apply to the collection of IP addresses and visits to health-related public webpages, which the court deemed as an unlawful expansion of HIPAA's definition of "individually identifiable health information." As a result, the court invalidated this part of the guidance on June 20, 2024, but affirmed that all other elements of the guidance remained valid. The decision indicates that HHS cannot enforce HIPAA rules in such narrowly defined scenarios, but it leaves room for HHS to adjust its guidelines in other areas not affected by this ruling.
On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to address the use of online tracking technologies by entities covered under HIPAA. This bulletin highlights the potential risks and legal requirements associated with using technologies like the Meta/Facebook pixel and Google Analytics, which can track and potentially expose personal health information without proper safeguards.
The OCR and the Federal Trade Commission (FTC) have pointed out that such practices could not only violate HIPAA rules but also the FTC Act and FTC Health Breach Notification Rule. They've called for these entities to carefully review and enhance their data protection practices to prevent unauthorized disclosures and protect consumer privacy.
The HHS has amended the guidance to provide, “On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. HHS is evaluating its next steps in light of that order.”
The Office for Civil Rights is a part of the U.S. Department of Health and Human Services that enforces federal laws protecting individuals' rights to nondiscrimination and privacy.
The American Hospital Association is an organization that represents and serves all types of hospitals and healthcare networks in the United States.
Tracking technologies are tools like cookies, pixels, and mobile app trackers that collect data on how users interact with websites and applications.