Federal Court Vacates Part of OCR’s Guidance on Online Tracking Technologies

On June 20, 2024, a federal judge for the Northern District of Texas ruled that the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) overstepped its authority under the Health Insurance Portability and Accountability Act (HIPAA) in determining that the use of certain online tracking technologies could violate the HIPAA privacy regulations (the Privacy Rule). In his detailed (and entertaining) opinion, U.S. District Judge Mark T. Pittman found that OCR erred in declaring, in guidance under the Privacy Rule (the Guidance), that information collected during a visit to a HIPAA-regulated entities’ unauthenticated public webpages (UPWs)¹ is “individually identifiable health information” (IIHI) under the HIPAA Privacy Rule. The judge reasoned that, even when such information is combined with the IP address of the website visitor, that combination of information does not constitute IIHI as defined in HIPAA. As a result, the judge vacated the portion of OCR’s Guidance that treats that combination of information (the Proscribed Combination) as IIHI subject to HIPAA. The judge did not, however, vacate any other portion of the Guidance.

Judge Pittman’s decision is a significant indication of the limits that the law may place on the scope of terms such as “individually identifiable information,” “personally identifiable information,” or “personal information” in relation to data collected from and concerning online activity. Beyond the HIPAA Privacy Rule, these terms have great significance for requirements and liability under a variety of privacy and data security laws. Judge Pittman’s reasoning (described further below) may resonate with other courts that are grappling with claims against numerous types of defendants regarding the collection and sharing of online tracking information, including under anti-wiretapping and other privacy-related statutes.

Background

The case before Judge Pittman was brought by the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and the United Regional Health Care System (Plaintiffs) challenging OCR’s authority to issue the Guidance and to enforce the Privacy Rule based on the Guidance. Such enforcement was a cognizable threat because six months after issuing the Guidance in its initial form in December 2022 (the Original Bulletin), OCR and the Federal Trade Commission sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other companies in the health care industry to warn of the “serious privacy and security risks” associated with the collection of information from online tracking technologies integrated into their websites and mobile apps.

In the Original Bulletin, OCR warned that entities regulated by HIPAA would violate the Privacy Rule if they were to disclose information collected by online tracking tools on health-related UPWs to third parties if such disclosure were not authorized by the Privacy Rule for IIHI — for example, if they were to disclose UPW visit information for marketing purposes without an authorization from the UPW visitor. As the Plaintiffs explained in their complaint: “OCR took the position that when an online technology connects (1) an individual’s IP address with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or health care providers, that combination of information (the Proscribed Combination) is subject to restrictions on use and disclosure under HIPAA.”

Although the arguments in the case involved a number of procedural and jurisdictional issues, the gist of Plaintiffs’ claims was that the Guidance’s characterization of the “Proscribed Combination” as “IIHI” was at odds both with the definition of that term in HIPAA itself (42 U.S.C. § 1320d) and with OCR’s own definition of the term in the Privacy Rule (45 C.F.R. § 160.103), and thus void of legal authority.

Case Proceedings; Court Decision and Legal Reasoning

Following initial briefing before Judge Pittman, both parties moved for summary judgment. Mere days before the brief in support of OCR’s motion was due, on March 18, 2024, OCR issued a revised version of the Guidance (the Revised Bulletin) to recharacterize/clarify its legal status. As stated in the Revised Bulletin, the Guidance was not “meant to bind the public in any way” and was not intended to “have the force and effect of law.” Thus, OCR took the position that the court lacked jurisdiction because the Bulletin did not constitute a “final agency action” subject to judicial review.

The Revised Bulletin also included certain modifications from the Original Bulletin that would appear responsive to the Plaintiffs’ challenge to OCR’s characterization of the Proscribed Combination as IIHI. The Plaintiffs had argued that, even assuming that an IP address of a visitor to a health-related webpage could reasonably be associated with a particular individual, the Proscribed Combination could not indicate that individual visited the page in connection with his or her own health, health care, or payment for health care. “For example, the visit may have occurred due to academic or journalistic research on a health condition or area provider capacity, general curiosity about something in the news, or just an accidental click on a web link.” Under HIPAA, however, IIHI is information identifiable to an individual that relates to that individual’s health. Therefore, the Plaintiffs argued, OCR’s categorical characterization of the Proscribed Combination as IIHI lacked factual and legal grounds.

In the Revised Bulletin, OCR newly suggested that user information collected on UPWs can become IHII if the individual’s reason for visiting such webpages relates to their personal health care. Judge Pittman found this revision unpersuasive for purposes of OCR’s defense of the Guidance. As he reasoned, by adding a subjective analysis component related to the “purpose and intent” of a website visitor, the Revised Bulletin offered no way for regulated entities to determine whether information collected by tracking tools was IIHI because there is no practical way to determine the purpose or intent of an unauthenticated website visitor and whether such visitor’s UPW use related to the individual’s health care.

“In theory,” Judge Pittman reasoned, “a third party could connect the dots between a person’s IP address and the searches the individual performed: if an IP address corresponds to Person A, and Person A looks up the symptoms of Condition B, one might conclude Person A has Condition B.” However, even if information collected through a UPW’s tracking technologies could identify a particular individual, “[t]hat information cannot become IIHI based solely on the visitors’ subjective motive for visiting the page.” Rather, to fall within the definition of IIHI, “there must be at least a reasonable basis to believe that the Proscribed Combination could identify ‘the individual’ whose health, healthcare, or payment for healthcare actually ‘relates to’ the webpage visit. But there is no basis to believe that, and the Bulletin provides none.”

Therefore, the court held that the Proscribed Combination falls outside the statutory definition of IIHI.

However, the court denied the Plaintiffs’ request for an injunction to permanently block OCR’s enforcement of the Guidance, reasoning that vacating only the relevant portion of the Guidance was the most appropriate form of redress because courts must always consider the “least severe” equitable remedy to resolve a plaintiff’s injury. In addition, the court found that the Plaintiffs had failed to show that they adequately exhausted all other available remedies.

Key Points and Future Considerations

• Impact on HIPAA Privacy Rule Enforcement — While the court’s ruling in this case presents itself as a “win” for HIPAA-regulated entities, the Guidance remains intact insofar as it applies to the use and disclosure of information collected from tracking technologies on authenticated portions of a website, and such use and disclosure therefore still entails risk. HIPAA-regulated entities should continue to monitor and audit the types of information collected through tracking technologies on their websites and online platforms, including patient portals or any other portion of a webpage that requires authenticated access, and scrutinize any related disclosures of such information to vendors or other third parties used for implementing website tracking technologies.
• Impact on Class Actions Against Providers for Information-Collection and Disclosure Through Tracking Technologies — Whether this decision will have any impact on lawsuits filed or the litigation posture of any current lawsuits against health care providers is unclear. There is no private right of action under HIPAA, and the court’s reasoning in this case may or may not influence legal interpretations of “individually identifiable information,” “personal information,” or similar terms under other laws. The court’s reasoning also may or may not influence whether the Proscribed Combination is a violation of other laws, such as state consumer protection laws. Regardless, obtaining consent to collect, use, and disclose information through tracking technologies, even on unauthenticated websites, may reduce litigation risks.
• State Privacy Laws and the Federal Trade Commission (FTC) Act — Also separate from HIPAA, state privacy laws and the FTC’s recently revised Health Breach Notification Rule (HBNR) create risk with respect to tracking the visits of individuals to health-related websites. As we have described in previous publications, the FTC has aggressively used its authority, under both the FTC Act and the HBNR, to take enforcement actions against entities such as GoodRx, BetterHelp, Monument, and Cerebral for disclosing to third parties sensitive health information collected online.
• Further Actions by OCR — The limited remedy from the court in this opinion leaves open possible reinterpretations of the Privacy Rule’s application to information collected through online tracking technologies. While the court found the Proscribed Combination fell outside the statutory definition of IIHI, it denied the Plaintiffs’ request for a permanent injunction, which means OCR may still seek endorsement of its interpretation of the Proscribed Combination as IIHI in other circuits.² Moreover, OCR could further revise the Guidance or appeal this decision.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.