[author: Jane Anderson]
Report on Patient Privacy 24, no. 9 (September, 2024)
The HHS Office for Civil Rights (OCR) has abandoned its appeal of a federal judge’s ruling overturning OCR’s guidance prohibiting covered entities (CEs) and business associates (BAs) from using the web-tracking technologies known as pixels on their public-facing web pages.[1]
But OCR’s decision, which came in late August, doesn’t mean HIPAA-regulated entities now have a free pass to utilize pixels on their public-facing, unauthenticated websites. An attorney warned that OCR continues to closely scrutinize web tracker use.
“I don’t know if they’re going to completely abandon” the issue, explained Lynn Sessions, a partner with BakerHostetler. “We’ve got four clients that are subject to an investigation by the OCR relative to the use of tracking technologies, and at least thus far, we’ve not really seen [OCR’s] position change.”
It’s possible that OCR was waiting to see the outcome of the American Hospital Association (AHA) lawsuit to decide whether to change its position on the use of web-tracking technologies on public-facing websites, Sessions said. But she added that she continues to counsel clients to use pixels thoughtfully and eliminate any unnecessary web trackers from public pages.
Federal judge Mark Pittman ruled on June 20 in American Hospital Association et al. v. Xavier Becerra et al. that HHS had unlawfully exceeded “HIPAA’s unambiguous text” by prohibiting CEs and BAs from using web-tracking technologies on their public web pages.[2] In his ruling, Pittman granted a motion for summary judgment from the AHA, which had sued to vacate part of OCR’s most recent guidance on pixel use. The ruling impacts only public-facing web pages, where users do not need to log in to view content.
The judge—a former Texas Court of Appeals judge who was appointed by former President Donald Trump in 2019 to the District Court for the Northern District of Texas—strongly sided with AHA and its co-plaintiffs, which include Texas Hospital Association, Texas Health Resources and United Regional Health Care System, regarding web-tracking technology on public-facing web pages.
HHS filed a one-page notice of appeal on Aug. 19, stating that it would appeal Pittman’s decision to the U.S. Court of Appeals for the Fifth Circuit.[3] However, it filed another one-page notice on Aug. 29 saying that it was abandoning its appeal, which means Pittman’s decision stands.
OCR most likely filed the Aug. 19 notice of appeal to meet a court-imposed deadline and keep its options open on whether to appeal, but then ultimately determined that it would not appeal the original ruling, Sessions said. “What my litigation colleague said is, it’s not unusual for someone to file a notice of appeal and then make a decision that they’re not going to appeal it,” she said, adding, “I wouldn’t say it happens all the time, but it’s not unusual.”
Proscribed Combination Not IIHI
The case revolved around what AHA called the “proscribed combination,” which is AHA’s term for OCR’s ban on web trackers that link an individual’s IP address to a public web page addressing specific health concerns or specific providers.
OCR had argued that users could be identified by their IP address and that their searches and page views—potentially involving medical conditions and specific providers—therefore qualified as individually identifiable health information (IIHI) under HIPAA.
Hospitals argued—and Pittman ultimately agreed—that it’s generally not possible to determine why a specific person visited a particular web page. If the person’s motivation is not known, then the information the person accessed is not protected under HIPAA, Pittman said in his opinion.
In fact, Pittman argued that OCR’s original web-tracking technology guidance issued in December 2022 gave the definition of IIHI “a clandestine facelift” by including scenarios in which the CE could not know the intent of the person visiting the web page.[4] Doing so went beyond the definition of IIHI that the HIPAA statute originally laid out, Pittman wrote in his opinion.
The court’s ruling does not impact OCR’s policy for user-authenticated web pages, where a user has logged in and thus can be identified. The ruling also does not touch on any potential HIPAA privacy issues in mobile apps. In its lawsuit, AHA had asked only for web-tracking use on unauthenticated pages to be allowed.
As a result, the opinion in the case “was very narrow,” and applied only to what the court defined as the “proscribed combination,” Sessions said. “And so, the order vacated the OCR’s guidance relative to the proscribed combination. So that’s a pretty narrow use of the tracking technologies.”
However, OCR’s ban on the proscribed combination was significant because it impacted the use of Google Analytics, Sessions said. “Most of our clients were saying, ‘We have to use Google Analytics. We will have no visibility into what’s really going on with our website and how effective our website is if we don’t use Google.’”
The lawsuit was mainly designed to address the use of Google Analytics, Sessions said. “Most of the other tracking technology companies are willing to enter into business associate agreements. Google was not. Google did not consider [information gathered by Google Analytics] to be protected health information,” and the court ultimately agreed, she said.
Pittman clearly thought that OCR had overreached in its web-tracking technology guidance, Sessions said. “And my suspicion is, that’s probably part of who he is, as a judge. But we have found that anytime any entity ends up challenging the OCR [in court], they lose. If it goes to the courts, they lose. The courts see the Office for Civil Rights having a lot of overreach in this space.”
AHA Praises HHS Decision
AHA heralded HHS’ decision not to appeal. “As the AHA repeatedly explained to OCR—both before and after OCR forced the AHA to file its lawsuit—this rule was a gross overreach by the federal government, imposed without any input from health care providers or the general public. Now that [OCR’s pixel guidance] has been vacated once and for all, hospitals can safely share reliable, accurate health care information with the communities they serve without the fear of federal civil and criminal penalties.”
Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in the lawsuit.
Sessions said she was involved in the effort to sway OCR on pixel use prior to the lawsuit’s filing. “We were completely in support of the American Hospital Association’s position,” Sessions said. “Several of our clients that we’ve been working with, both on defending them in litigation as well as what I’ll call the regulatory aspects of this tracking technology issue, are very vocal and active members in the American Hospital Association.”
In fact, Sessions and two AHA members (Sessions called them “pretty formidable health systems, one from the East Coast and one from the West Coast”) met with OCR in summer 2023 to discuss the tracking technology issue. “They made their plea,” she said. “They were very brave to go, in my view, and they made their plea to the OCR to say, ‘Y’all got this wrong.’ [OCR] disagreed, and we got no relief.” That’s when AHA made the decision to file the lawsuit, Sessions said.
Based on the Texas opinion, OCR now would lose in court if it challenged a health system’s use of Google Analytics, Sessions said, adding, “That’s the wonderful value of the court’s opinion. But I don’t know that [OCR is] going to necessarily abandon the issue of the use of tracking technologies because it’s apparent to me that they are concerned about people’s privacy, and with what might be getting shared with various companies without having appropriate protections in place.”
Therefore, Sessions said, HIPAA-regulated organizations need to continue to be thoughtful and methodical in how they implement tracking technologies across their web pages.
Sessions said her firm is working with “roughly 100 health care entities that have reacted in a very, very positive way to the OCR guidance that came out in December 2022 and the additional guidance that came out this past spring.[5] They’re not looking at [the court ruling] and saying, ‘Oh, great, now we can just willy-nilly do whatever we want to do.’ They are being very thoughtful and considerate in how it is that they’re approaching their use of tracking technologies.”
These health systems have implemented governance that provides guard rails for the use of these technologies on their websites, Sessions said. She offered several recommendations for clients who want to implement tracking technologies.
“First, if you don’t need a certain technology on your website, take it off. Just don’t have a bunch of junk on there if you don’t need it,” she said. “Second, if you need it, then try to enter into a business associate agreement with the vendor, so that they also have the requirement that they have to protect your information.”
If the vendor of the technology won’t enter into a BA agreement, then Sessions recommended determining if the information that potentially would be transmitted meets the definition of the proscribed combination. “If it meets that definition, then you’re fine. If it doesn’t—if more than that is part of what’s being tracked—then that’s where I think you have the dilemma.”
Intermediary Platform May Help
One possible option involves companies that provide a service to “sit between you and the tracking technology companies and essentially anonymize the information before it goes to the tracking technology companies,” Sessions said. “We’ve seen a number of our clients that have moved to those types of platforms.” Still, she said, “It’s all contingent on how it is that you set it up, and what’s the level of protection they will enter into business associate agreements with you, which is kind of fundamental from a HIPAA perspective.”
To implement a successful approach, health care organizations need to make sure that their digital marketing team works in concert with their legal and privacy compliance teams, as well as their information security team, Sessions said. “You want to make sure that there are thoughtful decisions being made by the covered entity before things are getting placed on your website.”
Although the decision in American Hospital Association v. Becerra did not involve the Federal Trade Commission (FTC), it’s possible that the decision, plus the U.S. Supreme Court’s June decision in Loper Bright Enterprises v. Raimondo—which overturned the Chevron deference—could “put the FTC in a position to not be quite so aggressive as we would expect them to be” on web tracking technologies.
The 1984 Chevron deference required courts to defer to federal agencies in setting policy and crafting regulations when the authorizing federal legislation was ambiguous or left an administrative gap. Under Loper Bright, the courts now have the final say on how legislation should be implemented.
OCR worked closely with the FTC in warning various health care companies—some governed by HIPAA and others not—about the privacy risks involved in using tracking technologies, Sessions said. Although the AHA lawsuit “has zero bearing on the FTC—it doesn’t apply to them—to the extent that they take a similar position that the OCR has taken [on tracking technologies], it seems to me that that might be seen as government overreach, too.”
1 Motion to Voluntarily Dismiss Appeal Under Federal Rule of Appellate Procedure 42(b), American Hospital Association et al. v. Xavier Becerra et al., United States District Court, Case No. 4:23-cv-01110-P (N.D. Tex. 2024), https://bit.ly/4egSg6s.
2 Jane Anderson, “OCR Exceeded HIPAA Text in its Web-Tracking Ban, Judge Rules in Vacating HHS Public Pixel Policy,” Report on Patient Privacy 24, no. 6 (June 2024), https://bit.ly/45Z71YI.
3 Notice of Appeal, American Hospital Association et al. v. Xavier Becerra et al., United States District Court, Case No. 4:23-cv-01110-P (N.D. Tex. 2024), https://bit.ly/3XyFPgy.
4 Jane Anderson, “OCR Issues Guidance, Checklist on Web-Tracking Technologies,” Report on Patient Privacy 23, no. 1 (January 2023), https://bit.ly/3Pls690.
5 Jane Anderson, “OCR Doubles Down on Pixel Ban, Offers Examples of Unlawfully Disclosed PHI,” Report on Patient Privacy 24, no. 4 (April 2024), https://bit.ly/4ezkNVE.
[View source.]
