The ongoing HIPAA online tracking guidance saga took a turn last week when a Texas judge issued a summary judgment in favor of the American Hospital Association declaring the guidance as unlawful and exceeding HHS’s authority.
While some pundits are quick to believe that this is the end of the story, the answer might not be so simple.
Healthcare organizations have been wrestling with HHS’s guidance on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates which was released in December 2022 and then updated in March 2024. For a more complete overview of the guidance, check out our series on this topic.
At a high level, the most dramatic implications of the guidance were twofold:
- The combination of an IP address and the URL of a page relating to health information such as a symptom, condition, search for a provider, or online appointment forms would be considered Individually Identifiable Health Information (IIHI)/Protected Health Information (PHI). The summary judgment refers to this IP/URL pair as the “Proscribed Combination.”
- Healthcare entities needed to consider any visit to their digital properties to be doing so related to the past, present or future care. While HHS softened this language in the 2024 update to the guidance, the actions required to meet with the standard did not change as a result.
Overview of the summary judgment
Much of the 31-page summary judgment wrestles with somewhat esoteric procedural issues surrounding the case, such as if the plaintiffs have standing and if such informal guidance documents are subject to judicial review. To sum it up: the judge explains that the case is valid, that he has the authority to act here, and that a summary judgment is warranted.
In the end, the judge declared unlawful the fact that the Prescribed Combination (IP address and URL) is IIHI and effectively rolls back the guidance.
What does this mean for healthcare organizations’ efforts to improve their privacy posture in response to the guidance?
Healthcare organizations should not simply abandon the new tools and tactics they’ve adopted to better protect consumer privacy. Even with reduced regulatory risks, this event should act as a wake-up call for all of us to put consumer privacy first.
There are a number of reasons to continue down the consumer privacy path:
- It’s likely this isn’t the last we’ll hear about these issues from HHS. For starters, they have the option to appeal the judgment. And while the judgment rolls back the guidance, it denied the AHA’s request for a permanent injunction on this matter. So, the agency could pursue a similar set of rules like those imposed by the 2022 guidance by following a more appropriate rulemaking path (as we’ve always believed they should). We would expect this process to include a detailed explanation of the new rules and their legal obligations, an open comment period, and a timeline for implementation by Covered Entities and Business Associates.
- Regulatory compliance is only one of the risks healthcare organizations have faced on these issues, and it’s less clear if this decision will have much impact on the ever-growing list of class action suits claiming breaches of consumers’ health information. Many of these lawsuits were in the works prior to the 2022 guidance, so its revocation is no guarantee that they will also go away. Many of the class action suits also involve state privacy laws where the bar may be different than under current HIPAA legislation.
- The judgment leaves open the potential that, in some circumstances, sharing data with non-HIPAA-compliant organizations from your web properties could still represent a breach under the HIPAA Privacy Rule. This could apply to some patient portals, for example, where online interactions are presumed to be for the logged-in individual. There are also less obvious scenarios that could prove problematic. The summary judgment cites the scenario where an organization “greets visitors with a dropdown box requesting their subjective motive for visiting the page”. While the summary judgment notes that this seems unlikely, this could be the case on websites that have a visitor survey or when the visitor selects their role (patient, caregiver, provider, jobseeker, etc.) from a list for the purpose of personalizing their online experience.
- Lastly, protecting consumer privacy is important to all of us and a robust process to do so must be a priority going forward.
Where does this leave us?
Even if the guidance doesn’t re-emerge in some form, this has been an eye-opener for all of us due to the sheer amount of information being shared with third parties. We encourage you to proceed forward with the same level of caution and oversight that you’ve been applying to marketing technology decisions over the past year and a half:
- Continue to vet tools and vendors through your data governance and vendor assessment processes to understand what information they’re receiving and the strength of their regulatory compliance processes.
- Don’t make any knee-jerk moves when it comes to the changes you’ve made to improve compliance until we better understand what the status quo is likely to look like on these issues.
- Keep the dialogue going between marketing, IT, legal and compliance to clearly articulate your organization’s position related to these health consumer privacy issues.
Geonetric will continue to share information and insights that you can use to help your organization make important HPIAA-related decisions. If you could use assistance regarding your organization’s compliance goals or how Geonetric Privacy Filter can help, reach out to our team today!
I’m not a lawyer.
Geonetric is not a law firm.
I’m sharing my insights and advice but nothing that I share here should be considered legal advice.
