AHA wins lawsuit against HHS over third-party web tracking
The case isn't about HIPAA, but about power, Texas judge rules.
Photo: Roberto Westbrook/Getty Images
The American Hospital Association, the Texas Hospital Association, Texas Health Resources and United Regional Health Care System have won their lawsuit against the Department of Health and Human Services over the use of third-party web-tracking technologies that capture user Internet Protocol (IP) addresses on public-facing webpages.
Judge Mark Pittman of the U.S. District Court for the Northern District of Texas on Thursday ruled in favor of the AHA and plaintiffs, agreeing that HHS' rules restricting such use is unlawful. Pittman vacated the rule HHS had issued in a March Revised Bulletin.
The bulletin, "was promulgated in clear excess of HHS's authority under HIPAA," Pittmas said. "But this case isn't really about HIPAA (the Health Insurance Portability and Accountability Act) ... Rather, this is a case about power. More precisely, it's a case about our nation's limits on executive power."
WHY THIS MATTERS
HHS said the revised March bulletin was consistent with HIPAA's definition of individually identifiable health information, or IIHI.
The Office of Civil Rights had received a surge of complaints from citizens concerned that unauthenticated public webpages, or UPWs, might disclose their individually identifiable health information. UPWs are those pages that do not require a log-in.
A provider can use a third-party technology vendor for its UPW. Many vendors use a page visitor's IP address to create a better user experience, such as using user location to populate a menu of nearby providers or to suggest clinics with lower wait times.
"Every click of the mouse or swipe of the phone thus increases the relevance of information the UPW provides," the court said
HHS issued guidance to privacy concerns starting in December 2022, adding information to the IIHI definition.
After the providers sued, HHS issued the revised bulletin that indicated information can become IIHI if the individual's reason for visiting the site is related to their personal healthcare.
The AHA contended the revised bulletin was still unlawful.
Pittman agreed. The revised bulletin does not change the legal question, he said. The bulletins improperly created substantive legal obligations for covered entities, he ruled.
THE LARGER TREND
The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November sued the federal government to bar enforcement of the rule that the plaintiffs said upended hospitals' and health systems' ability to share healthcare information with the communities they serve and analyze their own website traffic to enhance access to care and public health.
Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in this lawsuit.
ON THE RECORD
AHA general counsel Chad Golder stated, "For more than a year, the AHA has been telling the Office for Civil Rights that its 'Online Tracking Bulletin' was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have 'interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA's text.' As a result of today's decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate healthcare information."
Email the writer: SMorse@himss.org
The HIMSS AI in Healthcare Forum is scheduled to take place September 5-6 in Boston. Learn more and register.
