Healthcare
,
HIPAA/HITECH
,
Industry Specific
Agency Must Drop Updated Guidance Provisions Regarding Certain PHI ‘Combinations’
A Texas federal court ruled the U.S. Department of Health and Human Services overstepped its authority in guidance warning HIPAA regulated entities that it’s unlawful to use online tracking tools to capture IP addresses in visits to websites containing information about maladies.
See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care
The U.S. District Court for the Northern District of Texas Fort Worth Division on Thursday ruled that parts of HHS’ Office for Civil Rights guidance regarding the use of online trackers “was promulgated in clear excess of HHS’s authority under HIPAA.”
The court ruled that the Office for Civil Rights was wrong when it said that tracking technology capturing the IP address of a user’s device and matching it with a visit to a web page addressing specific health conditions or listing health care providers “is a sufficient combination of information to constitute individually identifiable health information.”
“The proscribed combination fails to improve current privacy protections while jeopardizing the dissemination of important healthcare information to the masses,” the court said.
The American Hospital Association, along with three other organizations, challenged the guidance in November (see: AHA Sues Feds Over Privacy Warning About Web Tracker Use).
The Texas court did not rule that all new guidance about web trackers is invalid, focusing on the combination of IP addresses and related identifiers combined with the intent of the website visitor.
The order to vacate the proscribed combination “is not intended to, and should not be construed as, limiting the legal operability of other guidance in the germane HHS document,” the court said.
Regulatory attorney Paul Hales of the Hales Law Group – who was not involved in the litigation – said the court’s “narrow remedy” is “very significant.”
“It only eliminates OCR’s guidance that collecting a visitor’s IP address on a hospital’s unauthenticated web page might result in a PHI disclosure that violates HIPAA. An unauthenticated web page does not require visitor login. The rest of OCR’s tracking tech guidance remains entirely intact.”
“The AHA prevailed but got nowhere near its requested result. OCR is only prevented from considering the acquisition of an IP address, by itself, from an unauthenticated web page to be a HIPAA violation,” he said.
Early Warning
HHS OCR first issued guidance in December 2022 to warn covered entities that the use of online trackers on their websites to collect and share with third parties individuals’ protected health information – including IP addresses – posed potential HIPAA violations (see: HHS Web Trackers in Patient Portals Violate HIPAA).
After AHA filed its lawsuit, HHS OCR revised that guidance in March, saying that the intention of the website visitor matters when determining whether the collection of an IP address or other identifiers is considered IIHI.
If an individual’s reason for visiting a healthcare entity’s website is related to the person’s personal healthcare – as opposed to seeking a job at the organization, for instance – then the IP address of that individual can become IIHI, HHS OCR said (see: Tracker Backtrack? Feds Revise HIPAA Guidance on Web Tools).
But the court ruled that the “proscribed combination” as set forth in the updated HHS OCR bulletin on March 18, “is unlawful, as it was promulgated in clear excess of HHS’s authority under HIPAA.”
“The ruling certainly does expose an overreach,” said privacy attorney Kirk Nahra of the law firm WilmerHale, who was not involved in the lawsuit.
“The initial guidance clearly had elements that could not be right – for example, someone who went to a hospital website to apply for a job does not expect to be a patient. The revised guidance drew lines about intent from an individual that a hospital could not possibly know,” he said.
“This guidance has always been a source of confusion and was not particularly helpful beyond encouraging hospitals to review their websites overall,” he said. “It was fair to identify this issue for hospitals in general. It did not seem appropriate to make a firm rule, especially one as broad as this or to take enforcement action based on any actions prior to this guidance,” he said.
HHS OCR issued its original online tracking guidance in December 2022, after the Supreme Court overturned Roe v. Wade in June 2022. The guidance came amid growing privacy concerns over sensitive personal and health information being collected and shared from health-related websites and mobile apps with third parties through the use of online trackers, such as Facebook Meta Pixel and Google Analytics.
Sensitive Issues
The use of web trackers on health-related websites is still fraught with controversy, some experts said.
Among other concerns, reproductive health and privacy experts have warned that law enforcement may attempt to collect information about abortions through digital footprints left online and in smartphones.
“This is a tenuous area with a variety of implications, especially as it relates to reproductive health and the various state laws post-Roe,” said regulatory attorney Rachel Rose, who is not involved in the litigation.
Entities considering the use of online trackers on health-related websites should proceed with caution, Rose said.
“The ingress and egress of PHI or significant components of identifiable information is required as part of a risk analysis,” she said.
“So, depending on what information is being extracted, how it is being utilized, and if there is a sales and marketing or other illegal use of it, then no, it is not OK. Internal analytics may be permissible, but a business associate agreement should be in place with Google or another data tracking company.”
Tech giant Meta faces a proposed consolidated federal class action lawsuit involving its use of Pixel in health-related websites (see: Judge Denies Meta’s 2nd Try to Dismiss Pixel Privacy Case).
Also, several large healthcare entities over the last two years, including Advocate Aurora Health and Community Health Network, have reported to HHS OCR large HIPAA breaches involving their previous use of web trackers.
In the meantime, the AHA views the Texas court’s ruling as a victory.
“For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities,” said Chad Golder, AHA general counsel, in a statement to Information Security Media Group.
“We regret that we were forced to sue OCR, but we are pleased that the court agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text,'” he said.
As a result of court’s decision, “hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate healthcare information,” Golder said.
HHS OCR did not immediately respond to ISMG’s request for comment on the ruling or on the agency’s next steps. HHS OCR can appeal the decision, Rose said.
Besides AHA, the other plaintiffs jointly filing the lawsuit against HHS OCR were Texas Hospital Association, Texas Health Resources and United Regional Health Care System.