On Thursday, June 20, 2024, the United States District Court for the Northern District of Texas (“the Court”) issued a ruling in a case that could have significant implications for enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The case, which was brought by the American Hospital Association (“AHA”), the Texas Hospital Association and two Texas-based health systems, challenged the validity of the Bulletin that the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued regarding the use of online tracking technologies by HIPAA-regulated entities. The Court ruled that HHS exceeded its statutory authority with respect to certain aspects of the Bulletin and granted the AHA’s request for declaratory judgment. The Court also granted, in part, the AHA’s request that the Bulletin be vacated. While many health care industry observers have declared the Bulletin dead, numerous questions remain to be answered before the full impact of the ruling can be known.
Background
OCR issued a Bulletin on December 1, 2022, in the context of media stories and regulatory investigations alleging that HIPAA-regulated entities were improperly disclosing protected health information (“PHI”) to third-party tracking technology vendors such as Google and Meta (Facebook) through the use of online tracking technologies on the regulated entities’ websites. The AHA filed a lawsuit against HHS seeking to enjoin them from enforcing the Bulletin and to obtain a declaratory judgment that IP addresses are not individually identifiable health information (“IIHI”) under HIPAA. On March 18, 2024, just before a significant filing deadline in the lawsuit, OCR updated the Bulletin to offer additional clarity to regulated entities and the public regarding the use of tracking technologies. Based on filings in that case, OCR believed that the changes to the Bulletin would resolve the matter and render further litigation unnecessary. However, the revisions did not have their intended impact and the lawsuit continued.
The Court’s Ruling
On June 20, 2024, the Texas federal court issued a ruling in response to both parties’ motions for summary judgment, which is where a court grants judgment as a matter of law when there is no genuine dispute as to the material facts of the case. HHS had moved for the Court to rule that they had not exceeded statutory authority and to uphold the Bulletin. The AHA had moved for the Court to rule that HHS had exceeded statutory authority and to thus vacate the Bulletin and enjoin HHS from enforcing it. The Court denied HHS’s motion and granted in part and denied in part the AHA’s motion.
The core of the Court’s ruling was its determination that HHS exceeded its statutory authority in the Bulletin when it stated that the combination of an individual’s IP address together with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers constitutes IIHI under HIPAA. The Court referred to that combination throughout the opinion as the “Proscribed Combination.” The Court was most troubled by the Bulletin’s reliance on the subjective intent of an individual webpage visitor as a determining factor in whether identifying information about that individual is IIHI. Essentially, the Court believed that HHS exceeded its authority by injecting a subjective intent element into the definition of IIHI, an element that is unknowable by the regulated entity and not contemplated by HIPAA. In particular, the Court declared that the Proscribed Combination is unlawful and was promulgated in clear excess of HHS’s authority under HIPAA.
As a result of this finding, the Court then turned to the proper remedy for the situation. The AHA had moved for the Court to vacate the Bulletin in its entirety and to enjoin HHS from enforcing it. However, the Court felt that those remedies were not necessary and settled on vacating the Proscribed Combination from the Bulletin. The Court specifically noted that the vacatur was not intended to limit the other aspects of the Bulletin in any way.
Practical Takeaways
Despite the seemingly clear and narrow ruling by the Court, much uncertainty remains regarding the scope and impact of the ruling and the application of the Bulletin. Despite wishful thinking that the Court’s ruling nullified the Bulletin in its entirety, there are many aspects of the Bulletin other than the Proscribed Combination that do not appear to be impacted by the Court’s ruling, and which would remain effective. On its face, the Proscribed Combination only covers circumstances where the potentially identifiable information is an IP address and an individual is visiting an unauthenticated public webpage that addresses specific health conditions or health care providers. However, the Proscribed Combination is a core component of the Bulletin, and its removal creates several material questions regarding how OCR will apply the guidance in the future, including:
- Will OCR apply the guidance to all unauthenticated webpages or just certain types of unauthenticated webpages? For example, will webpages that perform functions that could more reasonably imply that a user’s subjective intent, such as appointment scheduling sites, still be subject to the Bulletin?
- Will the Bulletin still apply even on unauthenticated public webpages of a general nature when tracking technologies on those pages collect and transmit direct identifiers of an individual and not just an IP address?
- Does the Court’s treatment of the individual identifiability of IP addresses weaken OCR’s ability to enforce the Bulletin in circumstances where an IP address is the only potential identifier involved, regardless of whether the webpage is authenticated or unauthenticated?
- Will OCR retract the Bulletin and re-issue it with changes that are consistent with the Court’s ruling, or will they leave the Bulletin as is and leave interpretation to the regulated entities?
- Will OCR appeal the Court’s decision and, if so, how should regulated entities interpret the Bulletin until all appeals are resolved?
Additionally, it is not clear whether this ruling will have any material impact on the hundreds of active class action cases that have been filed across the country against regulated entities by private-party plaintiffs. Since HIPAA does not have a private right of action, those cases do not bring claims for violating HIPAA per se, but rather seek damages for violations of other federal and state laws and for violations of common law privacy and negligence claims. Accordingly, while the Court’s ruling may help to back up certain arguments or drive new strategies, it likely will not serve as a basis for the broad dismissal of these cases.
Given the continuing uncertainty that exists on this topic, until there are answers to these and other questions, regulated entities who have taken steps to mitigate the risks presented by tracking technologies should not materially change their approach to compliance. Regulated entities who have not yet taken steps to mitigate the risks associated with tracking technologies should still make this one of their compliance priorities.
If you have any questions or would like more information on this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Philip Davis at (317) 977-1412 or pdavis@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
