The Department of Health and Human Services (HHS) issued a guidance document called Online Tracking Bulletin. It then revised that document. The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued in November 2023 arguing that HHS over-reached and that the bulletin was unlawful.
This was not a trivial case.
Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting the plaintiffs in this lawsuit.
HHS bulletin and its revised iteration apparently restricted health care providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing webpages. Judge Mark Pittman in US District Federal Court, N.D. Texas, Ft Worth Division, wrote:
It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance. But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power. More precisely, it’s a case about our nation’s limits on executive power. In the grand scheme, the Revised Bulletin is one small guidance document among countless others issued by HHS and other executive entities. But a wise Man once said that “one who is faithful in a very little is also faithful in much, and one who is dishonest in a very little is also dishonest in much.” Luke 16:10 (ESV). While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements. And even small executive oversteps can compound over time, resulting in larger transgressions down the road.
Some background. Sorry about the alphabet soup.
Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) *788 in 1996 because health information needed more protections and the world needed more acronyms. HIPAA seeks to “assure that individuals’ health information is properly protected” while “allowing the flow of health information needed to provide and promote high quality healthcare.” The Department of Health and Human Services (“HHS”) enforces this mandate. Violations are reported to HHS’s Office for Civil Rights (“OCR”), who investigates reports and recommends corrective action. This case involves HIPAA’s confidentiality protections (the “Privacy Rule”) for “protected health information” (“PHI”). More specifically, the case concerns the Rule’s applicability to one subset of PHI: “individually identifiable health information” (“IIHI”). HIPAA defines IIHI as information that (1) “relates to” an individual’s healthcare and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.”
The key point is that HIPAA provides protections for protected health information (PHI). And “individually identifiable health information” (“IIHI”) is a subset of PHI.
IIHI cannot be disclosed without the individual’s explicit authorization, or unless there’s a regulatory exception.
One more acronym. Sorry. UPW.
[Practices] can then share such data with technology vendors and other third parties, gaining valuable data-analytics insights and facilitating better cross-platform collaboration. HIPAA provides robust protections for PHI in this context, including the Privacy Rule, along with the Security Rule (requiring “reasonable and appropriate” administrative safeguards), required SSL encryption, obligatory Business Associate Agreements (“BAAs”) for *789 outside providers, and a host of other obligations. Subject to certain restrictions, providers can provide information that is not IIHI on “unauthenticated public webpages” (“UPWs”)—websites that don’t require login credentials or user verification. In doing so, healthcare providers increase the public’s access to important health-related information.
So, a UPW might be a hospital or physician’s public facing website educating searchers on what they do, the conditions they treat, and more.
And a hospital or physician would want analytics on how they are being found and, broadly, who is finding them, so they can improve the information they are providing. And see the patients who want to be seen.
The court understood that there is potential for online mischief.
In theory, a third party could connect the dots between a person’s IP address and the searches performed: if an IP address corresponds to Person A, and Person A looks up symptoms of Condition B, one might conclude Person A has Condition B.
Indeed, inferences aside, the above scenario would never reveal that Person A affirmatively had Condition B. But HHS thought otherwise. Accordingly, in 2022, the Department gave the definition a clandestine facelift. In December of that year, HHS issued a guidance document (the “Original Bulletin”) to address potential privacy concerns. Like most guidance documents, the Original Bulletin reminded covered entities of their obligation to protect IIHI. But it did more than that, too. In particular, the Original Bulletin appeared to shoehorn additional information into the IIHI definition Indeed, inferences aside, the above scenario would never reveal that Person A affirmatively had Condition B. But HHS thought otherwise.
Accordingly, in 2022, the Department gave the definition a clandestine facelift. In December of that year, HHS issued a guidance document (the “Original Bulletin”) to address potential privacy concerns. Like most guidance documents, the Original Bulletin reminded covered entities of their obligation to protect IIHI. But it did more than that, too. In particular, the Original Bulletin appeared to shoehorn additional information into the IIHI definition Combination”) was an example to highlight privacy concerns; covered entities saw it as an entirely new obligation.
The Revised Bulletin further suggests the IIHI test is subjective. That is, the Revised Bulletin insinuates that information can become IIHI if the individual’s reason for visiting a UPW relates to their personal healthcare (irrespective of the fact that such information is unknowable unless a UPW seeks it).
OK, the “Proscribed Combination” according to HHS Revised guidelines, triggered obligations under The Privacy Rule. If online technology connects (1) an individual’s IP address with (2) a visit to healthcare entities public facing website, addressing specific health conditions or healthcare providers, extra caution is required IF the individual’s reason for visiting the site relates to their personal healthcare.
How would the website owners know the user’s subjective intent?
They likely wouldn’t.
Unless there was some dropdown which forced the user to disclose their intent.
If the Proscribed Combination isn’t IIHI, the Privacy Rule doesn’t apply. On the other hand, if the Proscribed Combination constitutes IIHI, covered entities have a host of legal obligations to ensure HIPAA compliance…
As a whole, these signs point to one conclusion: HHS tried to tweak the IIHI definition and got caught. With its hand in the cookie jar, the Department now backtracks. In doing so, it gaslights covered entities by arguing the Bulletins restate what the rule has been all along.
[t]he Revised Bulletin confirms that the Proscribed Combination, by itself, does not constitute IIHI. See AR at 4 (“The mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not sufficient … to constitute IIHI.”).
Subjective intent aside, the Revised Bulletin only compounds the conundrum for covered entities. Indeed, covered entities must modify their behavior the same way under both Bulletins. A user’s intent in visiting a UPW is unknowable. Thus, because HIPAA doesn’t mandate clairvoyance, covered entities must act as if the Original Bulletin controls, i.e., as if the Proscribed Combination is per se IIHI. And the record is clear that covered entities have not been doing that.
The Revised Bulletin says UPW visits “do not result in a disclosure of PHI to tracking technology vendor[s] if the visit is not related to an individual’s past, present, or future health, health care, or payment for healthcare.” AR at 6. Put differently, such visits do “result in a disclosure of PHI” if the visit *797 is “related to an individual’s past, present, or future health, health care, or payment for healthcare.”
The court ruled that HHS exceeded its authority to label the Proscribed Combination at IIHI (a subset of PHI) which would trigger legal obligations. It ruled the Proscribed Combination was not lawful.
That HHS lacked authority to promulgate the Proscribed Combination is unsurprising, as our nation’s bureaucratic apparatus would give Hobbes’ Leviathan a run for its money. Indeed, few are the facets of modern life untouched by the federal government’s administrative machinery, which is as sophisticated as it is complex. We’ve drifted from the founders’ intent, 6 but that’s not the only problem. Another, as Hobbes and the founders foresaw, is the tendency of large bureaucracies to self-perpetuate, emboldened by each successive ultra vires action. As the old saying goes, “give an inch, they’ll take a mile.” And HHS has taken a mile. See ECF No. 25 at 24 (“[T]he threshold problem with the Bulletin is also the most fundamental: The Bulletin’s new rule exceeds HHS’s authority under HIPAA.”).
… HHS cannot require covered entities to perform the impossible. Thus, even if a UPW’s metadata could identify a particular individual, “[t]hat information cannot become IIHI based solely on the visitors’ subjective motive for visiting the page.” ECF No. 60 at 38. The Hospitals’ brief discusses two hypotheticals to illustrate this point:
say, that John Smith visited a page for booking dialysis appointments, or Mary Jones visited a page about the onset of Alzheimer’s disease—that establishes nothing. There are many generic reasons why they may have visited such pages, entirely unrelated to the health, healthcare, or payment for healthcare of any particular individual (e.g., they could be public-health researchers or hospital employees). In addition, even if their visits were related to some individual’s healthcare needs, they could have been acting for family members, friends, or countless other third parties. And their IP addresses provide no reasonable basis to determine otherwise. Without contesting any of this, HHS baldly asserted that the Proscribed Combination is “indicative” of the visitor’s own health status or treatment, [ ] but any such inference drawn from internet metadata falls far short of what the IIHI definition requires, as courts have recognized…
HHS says it’s “common sense” that “some users who visits these webpages … are doing so to learn information about their own medical conditions, to inquire about specific medical practices or providers for the purpose of obtaining healthcare, to actually obtain an appointment with a particular provider, or for other reasons related to their own healthcare.” ECF No. 41 at 40. The Court does not disagree. Indeed, the Court wouldn’t disagree if HHS argued most people visit for those reasons. But that’s not what HIPAA requires. In any event, Congress only included *802 the “reasonable basis” qualifier for the identification prong.
To its credit, the court actually made this simple.
Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).
If a covered entity’s UPW greets visitors with a dropdown box requesting their subjective motive for visiting the page, that would be one thing. The Department can and should remind covered entities that the Privacy Rule would apply in those circumstances. But absent such an admittedly bizarre scenario, the Proscribed Combination cannot become IIHI as unambiguously defined….
Having done so, the closest the Proscribed Combination gets to IIHI is a speculative inference extrapolated from (but unsubstantiated by) collected metadata. Because the Proscribed Combination facially exceeds HIPAA’s unambiguous text, the Court need not consider the Parties’ other [] arguments….
As thoroughly detailed in amicus briefs, the Proscribed Combination would “undermine[ ] the joint efforts of Hospitals and the Government to modernize healthcare.” Id. at 31 (cleaned up). If enforced, the Proscribed Combination would have a profound chilling effect on providers’ use of technology vendors to facilitate critical UPWs. See id. While healthcare providers can “host websites and patient portals without using any third-party analytics … it serves nobody to have websites that patients do not know and cannot navigate effectively.” Id. at 33.
HHS elected against appealing the decision.
So, generic tracking technologies on websites which do not clearly connect the individual with their health condition or their receipt of healthcare is not per se verboten.
What do you think?
