The American Hospital Association (AHA) is suing the federal government over the HHS Office for Civil Rights (OCR) position that online tracking technologies may violate HIPAA. The AHA claims that OCR’s December 2022 Bulletin regarding tracking technologies “upsets the balance that HIPAA strikes between privacy and information sharing.”
OCR issued the Bulletin to clarify how web trackers may violate the longstanding HIPAA Privacy Rule after the trackers caused a series of recent patient privacy violations.
During the eleven months since the Bulletin was issued, both sides have doubled down on their opposing positions. In May 2023, the AHA wrote a letter to OCR asking them to suspend the Bulletin. OCR responded in July with a letter to approximately 130 hospitals and telehealth providers warning them that the agency was “closely watching developments in this area.” The Federal Trade Commission (FTC), which regulates health privacy and consumer protection, joined OCR in the hospital letter.
The AHA lawsuit does not name the FTC as a defendant.
Web Trackers in Healthcare
Web trackers from companies like Google and Meta (Facebook & Instagram) are pervasive on the internet in search engines and websites, from libraries to social media to online shopping. Most websites’ privacy policies disclose to users that their data is shared, and when a user clicks the “I consent” button, they’ve granted permission to share their data. Personal data may then be shared with the tracking technology vendor (like Google or Meta) or with third-party advertisers for marketing purposes.
However, under HIPAA, protected health information (PHI) should not be used or disclosed to the vendor or third parties without the patient’s written specific authorization. The general consent to data sharing used by most non-HIPAA privacy policies does not meet HIPAA standards.
Protected Health Information Defined
Protected health information is any one piece of individually identifiable information linked to the provision of past, present, or future health care or payment for health care. Under HIPAA, there are 18 separate “identifiers”, including a name, address, email address, social security number or an IP address, among others.
AHA’s key issue is that it believes an IP address should not be considered an “individual identifier” within the HIPAA definition of PHI.
Curiously, the hospitals admit they want to collect and disclose patients’ email and IP addresses to third-party vendors because the vendors want this information. According to the complaint, hospitals are refraining from using tracking technologies on their websites because of the threat that OCR will enforce the Bulletin. (See Paragraph 47 of the complaint.)
Web Trackers Caused Huge Breaches
A few examples of health data breaches caused by web trackers recently include: Novant Health, Advocate Aurora Health, Cerebral Inc., and Monument, among others. Millions of patients have been affected.
OCR is investigating each of these.
The FTC has also pursued web tracking investigations, against GoodRx; BetterHelp; and Premom. Each of these companies serve individuals in healthcare, although none are considered HIPAA “covered entities” or “business associates”, so they are not regulated by OCR.
Private lawsuits are also gaining ground. On August 11, 2023 Advocate Aurora Health agreed to pay $12.25 million to settle class action claims that the Illinois-based hospital chain invaded patient privacy by using tracking technologies on its websites and patient portal. At least 50 other lawsuits have been filed between August 2022 and April 2023, according to a report from law firm BakerHostetler.
The Privacy Rule is Longstanding Law
Neither the HIPAA authorization requirement nor the Bulletin’s policies are new – the authorization requirement has been fundamental to HIPAA for over twenty years. The Bulletin simply explains how the 20-year old Privacy Rule applies to tracking technologies that were developed after the Privacy Rule was enacted.
OCR says in the Bulletin:
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”
The AHA Has an Uphill Battle
The outcome of the lawsuit is far from certain. AHA must convince the court that OCR’s Bulletin is an official “Rule” as defined by the Administrative Procedure Act, or the lawsuit faces dismissal.
OCR will point out that the Bulletin is not a Rule – it simply explains how tracking technologies may violate the Privacy Rule that’s been accepted law since 2003. OCR uses Bulletins and Guidance to underscore and clarify aspects of HIPAA to help regulated entities comply.
We will provide updates on the lawsuit’s progress as it moves forward.