In American Hospital Association et al. v. Becerra, the US District Court for the Northern District of Texas ruled that the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) acted “in clear excess of HHS’s authority under HIPAA” in promulgating guidance that applied the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to third-party online tracking technologies used by hospitals.

Background

The case originates from an HHS OCR Bulletin, published on December 1, 2022, and updated on March 18, 2024. In it, HHS OCR warns that when an online technology connects (1) an individual’s IP address with (2) a visit to an unauthenticated public webpage that addresses specific health conditions or healthcare providers—that combination of information (defined in the Opinion as the “Proscribed Combination”)—is subject to restrictions on use and disclosure of individually identifiable health information (IIHI) under HIPAA. Read additional information on the HHS OCR Bulletin.

Emphasizing the risks concerning such technologies, on July 20, 2023, HHS OCR and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospital systems and telehealth providers warning them of their obligations to comply with the HIPAA rules when using tracking technology. A corresponding press release also confirmed HHS OCR’s “active investigations nationwide to ensure compliance with HIPAA.”

Describing the Bulletin as “a new mandate that healthcare providers must follow on pain of serious civil penalties,” without undertaking notice and comment rulemaking, Plaintiffs filed a complaint with the US District Court for the Northern District of Texas to stop enforcement of the Bulletin on November 2, 2023. Importantly, the Complaint did not challenge (nor did the Court address) the Bulletin’s guidance  on “patient portals or other password-protected areas of a hospital’s website.” These aspects remain intact and continue unchanged.

The Court’s decision

In an attempt to render further litigation unnecessary, HHS OCR released an updated Bulletin on March 18, 2024 (Revised Bulletin). Finding the Revised Bulletin did not materially change HHS OCR’s interpretation and enforcement of the Proscribed Combination, the Court concluded that the Revised Bulletin “only compounds the conundrum for covered entities.” In granting Plaintiff’s request for declaratory relief, the Court ruled that the inclusion of the Proscribed Combination within the definition of IIHI “facially exceeds HIPAA’s unambiguous text” and ordered HHS OCR to vacate the guidance on third-party tracking technologies. The vacatur is nationwide.

What’s next?

A note on the HHS Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates webpage says "HHS is evaluating its next steps in light of that [Court] order.”  Thus, HHS could appeal the decision of the US District Court for the Northern District of Texas and/or continue to bring enforcement actions against hospitals using web-based tracking technologies in other federal district courts alone or in concert with the FTC and/or state authorities. Any attempt to remedy the guidance via notice-and-comment rulemaking may face additional hurdles in light of the Supreme Court’s striking down of Chevron deference in the June 28, 2024, Loper Bright Enterprises v. Raimondo decision. Read additional information on the Loper decision.

Our team of experienced lawyers and professionals at Norton Rose Fulbright will continue to closely monitor new guidance, enforcement actions by HHS OCR and litigation relating to third-party online tracking technologies used by hospitals. If you have any questions concerning hospital compliance when using tracking technologies, please do not hesitate to contact us.



Contacts

Chief Integration Partner, Life Sciences and Healthcare, United States
Senior Counsel
Senior Analyst, Health Care

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .