Hospitals care about patient privacy, but they also have to connect with the public. In the real world, people mostly connect online. Having a fully functional online presence often requires help from third parties. For hospitals, this includes everything from publishing research to providing driving directions to letting the public know when COVID-19 vaccinations are available. But hospitals have faced a blizzard of class action lawsuits and regulatory inquiries for using commonplace third-party technology on public websites, including cookies and pixels from Meta (formerly Facebook) and Google. In December 2022, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) issued a bulletin that poured fuel all over this firestorm.

Background

Holland & Knight previously analyzed the HHS bulletin on the use of online tracking technologies by Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates, highlighting many questionable positions taken by OCR and the potential for serious unintended consequences. (See Holland & Knight's previous alert, "HHS Offers HIPAA Guidance on Online Tracking Technologies," Dec. 2, 2022.) Additionally, Holland & Knight partnered with J.S. Held to discuss the bulletin further in a Nov. 3, 2023, podcast.

Since the bulletin was issued, the American Hospital Association (AHA) has been a vocal critic. In May 2023, it sent a letter to OCR on the HIPAA privacy rule and online tracking guidance urging OCR to suspend or amend the bulletin, noting "the Online Tracking Guidance errs by defining PHI too broadly …. As a result, the guidance will inadvertently impair access to credible health information." But in July 2023, OCR and the Federal Trade Commission (FTC) sent warning letters to 130 hospitals that use third-party tracking technology, seeming to double down on its aggressive positions in the bulletin. AHA wrote to the Senate Committee on Health, Education, Labor and Pensions in September 2023 asserting that "Congress should urge OCR to withdraw the rule immediately." However, there has been no congressional action to date.

Bringing Suit

On Nov. 2, 2023, the AHA and Texas Hospital Association, along with Texas Health Resources and United Regional Health Care System, brought a lawsuit against the HHS secretary and OCR director in Texas federal court. The lawsuit details the many ways that hospitals use third-party technology for important functions, including data analytics, video technologies, translation technologies, and map and location technologies. The plaintiffs claim that the bulletin improperly imposes HIPAA restrictions on all such technologies even when all that is passed to a third party is the IP address of the browser's computer – and in many circumstances where the browser is not a patient.

"For example, if a public-health researcher used her personal computer to search a hospital's webpage for the availability of dialysis appointments, the technology's combination of (1) the researcher's IP address and (2) the visit to a page addressing dialysis appointments would, according to the Bulletin, be subject to HIPAA's requirements. So too if the technology combined (1) the IP address of an individual who used his personal computer on behalf of an elderly neighbor (2) to read a hospital's webpage with information about the onset of Alzheimer's disease." Complaint, para. 8.

The plaintiffs point to a number of instances where the federal government uses the same third-party technology against which the bulletin warns. For example, "among other technologies, third-party analytics and advertising tools are present on Veterans Health Administration webpages addressing specific health conditions and healthcare providers, including but not limited to a page describing the symptoms of post-traumatic stress disorder and pointing veterans to treatment resources." Complaint, para. 9.

Fundamentally, the complaint argues that the bulletin exceeds the defendants' authority and was issued in an arbitrary and capricious manner without appropriate notice and comment. "Plaintiffs challenge only the Bulletin's rule treating as [individually identifiable health information or "IIHI"], the Proscribed Combination – i.e., where an online technology connects (1) an individual's IP address with (2) a visit to a publicly accessible webpage that does not require or request login information for user authentication (an Unauthenticated Public Webpage) and that addresses specific health conditions or healthcare providers … They do not challenge the Bulletin's application to patient portals or other password-protected areas of a hospital's website." Complaint, para. 40.

The plaintiffs seek, among other remedies, that "(1) That the Bulletin be set aside insofar as it provides that the Proscribed Combination is IIHI; (2) Declaratory judgment that the Proscribed Combination does not constitute IIHI under the statutory and regulatory definition; [and] (3) Permanent injunctive relief enjoining OCR from enforcing against the Hospitals and the Associations' other members the rule in the Bulletin that the Proscribed Combination is IIHI." Complaint, Prayer for Relief.

Conclusion

Though the lawsuit is a welcome development for many hospitals, even if it succeeds, it will not immediately moot the hundreds of class action lawsuits that hospitals have faced regarding website privacy over the last year. Because HIPAA has no private right of action, those class action lawsuits were brought under state wiretapping and consumer protection laws. Nevertheless, bringing a dose of reality and reason to HIPAA's treatment of websites is expected to be a move in the right direction.