Federal District Court Casts Doubt on HHS HIPAA Tracking Technology Guidance
The U.S. District Court for the Northern District of Texas ruled that HHS's December 1, 2022, guidance applying HIPAA to online tracking technologies is unlawful with respect to its treatment of certain combinations of website data as protected health information (PHI). After this original guidance was challenged in court, HHS issued revised guidance on March 18, 2024. The revisions, however, left regulated entities with the seemingly impossible task of distinguishing between what is and what is not a disclosure of PHI subject to HIPAA based on a website visitor's intent. In its opinion, the court focuses on the "Proscribed Combination" of (1) connecting an individual's IP address with (2) a visit to a health care provider's unauthenticated public webpage (i.e., no login or user verification required) addressing specific health conditions or listing health care providers. Upon review of both the original and revised guidance, the court ruled that a portion of the guidance was unlawful because its inclusion of the Proscribed Combination within the definition of individually identifiable health information (IIHI) "facially violates HIPAA's unambiguous definition of IIHI."[1]
HHS Tracking Technology Guidance
The original and revised guidance by HHS sought to address the potential for impermissible uses and disclosures of PHI included in the wide spectrum of user information generated by health care websites. Health care websites may generate information that is clearly not PHI (like an employment inquiry) as well as information that definitively identifies someone as a patient, such as appointment scheduling or a patient portal login (and would be considered PHI). These issues are left untouched by the district court opinion.
The guidance also sought to address the gray area where user information indicates that someone may be a patient or may be looking for specific health care services. The guidance stated:
Tracking technologies on many unauthenticated webpages do not have access to individuals' PHI; in this case, a regulated entity's use of such tracking technologies is not regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities' use of tracking technologies and disclosures to the tracking technology vendors.
The guidance included the following examples implying that the individual user's subjective intent in accessing the page would impact the determination of whether the information generated from that visit amounted to PHI:
- For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital's webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
- However, if an individual were looking at a hospital's webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual's IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual's health or future health care.
Impact of the Court's Decision
In the court's interpretation of the HIPAA statute, the "IIHI definition explicitly states the PHI in question must 'relate[] to' a listed category of information. … Thus, without knowing a particular query relates to a category of information [covered by HIPAA], metadata from a [unauthenticated public webpage] search cannot constitute IIHI." The federal district court took issue with the guidance because, in its view, "the Proscribed Combination could never fit HIPAA's definition of IIHI. … Without knowing information that's never received—i.e., the visitor's subjective motive—the resulting metadata could never identify that individual's PHI. Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B)."
Federal district court decisions are not binding on other federal district courts or on federal courts of appeals, and it remains to be seen whether HHS will appeal this decision. When a federal district court held a portion of HHS's HIPAA right-of-access guidance to be unlawful in Ciox Health v. Azar, HHS responded by revising its guidance to state that the guidance remains in effect only to the extent that it is consistent with the court's order. HHS further stated that any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
HHS may make a similar change to the guidance on online tracking technologies if it does not appeal the court's decision. Until HHS issues such a revision or we learn that HHS has appealed the decision, the national impact of the court's decision remains uncertain.
Next Steps for HIPAA Regulated Entities
The court's decision potentially moves the needle on what website information may be disclosed under HIPAA. With that in mind, we have included a few tips below:
- Security Rule Risk Analysis. HHS stated in its revised guidance that its enforcement priority would be cases in which regulated entities failed to include website PHI in their Security Rule risk analyses. HHS may be more likely to focus its enforcement efforts on cases involving information that is unambiguously PHI. Regulated entities should verify that information collected, used, or disclosed via their websites is included in their regular security risk analyses.
- Vendor Agreements. Regulated entities should evaluate the type of information being processed through their websites and review agreements with vendors to determine whether a business associate agreement may be required.
- Other Website Information. The court's decision holds that a user's IP address and a visit to an unauthenticated web page addressing specific health conditions or listing health care providers is not IIHI or PHI under HIPAA. Other combinations of information on authenticated or unauthenticated pages, however, still may constitute PHI that is subject to HIPAA, such as if it definitively indicates that someone is or was a patient.
- Non-HIPAA Risks Remain. The decision does not prevent the plaintiff's bar or other regulators (such as the FTC) from claiming that disclosure of sensitive data through a website violates a law other than HIPAA. Further, state privacy laws, such as the My Health My Data Act of Washington state and the California Consumer Privacy Act, likely will have significant impact on the use or disclosure of information from websites. HHS's guidance raised awareness of the potential of health care providers to violate HIPAA through their website practices, but the greater risk always has been elsewhere, such as the potential for a large class action suit over website practices. So, health care providers still must recognize that any disclosure of potentially sensitive information from their website remains a high risk.
We will continue to monitor this case and guidance. If you have questions or need additional assistance, please contact the authors or the DWT attorney with whom you normally work.
[1] HIPAA defines IIHI as information that (1) "relates to" an individual's health care and (2) "identifies the individual" or provides "a reasonable basis to believe that the information can be used to identify the individual." 45 C.F.R. § 160.103.