A Texas federal judge made a decision that the guidance set by the HHS’ Office for Civil Rights about website tracking technologies was illegal, stating that OCR went beyond its authority when it released the guidance. According to the judge, metadata obtained from an unauthenticated website is not considered individually identifiable health information if combined with an IP address.
In December 2022, OCR clarified to hospitals and health systems the scope of using tracking technologies by providing guidance about HIPAA and website tracking technologies. The use of these technologies, including Meta Pixel code, on websites provides useful features; but they also gather information from website users and transmit that data to third parties. The data obtained may disclose diagnoses, appointment details, health issues, and other possibly sensitive data that can be linked to people by identifiers like IP addresses. Regarding the Meta pixel code, the obtained information is transmitted to Meta (Facebook) and might be shared with third parties, enabling the serving of targeted ads to individuals. A lot of website users do not know that their activities on websites were monitored and their data were transmitted to third parties. A lot of healthcare providers are facing lawsuits for using these technologies.
OCR’s information on HIPAA and website tracking technologies prohibited these technologies except if authorizations were acquired from patients or the vendors of the technologies signed a business associate agreement (BAA). A lot of vendors of these tracking tools never sign business associate agreements with HIPAA-covered entities. The Texas Hospital Association, Texas Health Resources, American Hospital Association (AHA), and United Regional Health Care System did not agree with the guidance and contended that banning the use of these technologies that are used by many organizations on their webpages would negatively affect the services provided by hospitals to patients. The restriction was in the long run risky to patients and the public.
After asking OCR to withdraw the guidance, the health systems and hospital associations filed a legal action doubting the lawfulness of the guidance. 30 hospitals and health systems and 17 state hospital associations supported the legal action. OCR stated that data obtained from hospital web pages was individually identifiable health information, which is regulated by the HIPAA when it is part of identifying data like IP addresses.
According to the lawsuit, OCR overreached and issued the guidance without consulting healthcare organizations. Moreover, although OCR claimed it was actively implementing the guidance, the government’s own healthcare companies still used the tracking tools on their web pages. The lawsuit wants the court to state that the guidance is not lawful. Because of the lawsuit, OCR modified its guidance in March 2024, taking out selected types of site visits from the prohibition by HIPAA even though OCR did not change its position, it recognized that the guidance lacked the force of law.
U.S. District Judge Mark Pittman sided with the hospital groups about the overreach of OCR concerning its authority on making the guidance. OCR’s inclusion of metadata from a user’s searches of a public website as individually identifiable health information was not backed by law. The guidance was enacted beyond HHS’s authority according to HIPAA.
The judgment nullifies OCR’s March 2024 guidance about HIPAA and tracking technologies on unauthenticated web pages. However, the decision doesn’t change OCR’s guidance regarding tracking technologies on authenticated websites like patient portals. Due to the ruling, hospitals and health systems can again use technologies that give their communities trusted, accurate medical data.