HHS Privacy Loss Not a Green Light for Health-Care Web Tracking

The Health and Human Services Department’s decision to drop its appeal of a district court’s invalidation of the agency’s web-tracking technology restrictions did little to untangle the legal uncertainty for those health-care companies using the tools.

The agency’s decision to pull its appeal Aug. 29 seemingly cleared the path for some health-care providers mired in litigation to continue using web-tracking technology, which HHS had said could tie website visitors to medical conditions and other sensitive data under the Health Insurance Portability and Accountability Act. But the impact of HHS’ backtrack from its Fifth Circuit appeal isn’t so clear cut, and companies must continue to pay close attention to courts and regulators for guidance on this growing and sometimes slippery field of online tracking technologies, said Justin Sherman, CEO and founder of Global Cyber Strategies.

“The decision is not a green light to hospitals to put pixel trackers on everything they do, but it does poke a hole in the guidance,” he said. “This speaks to the challenge of applying HIPAA to these new technologies. It’s not going to change the landscape overnight.”

The HHS guidance, first introduced in December 2022, built on existing HIPAA requirements, adding an obligation for providers to protect patients and web users from technology connecting them to web pages addressing specific health conditions. The November 2023 lawsuit, American Hospital Association et al v. Becerra, aimed to block the agency from expanding HIPAA’s definition of “covered identifiable health information” to include IP addresses, which can show where a user resides.

US District Court for the Northern District of Texas Judge Mark Pittman ruled in June that HHS’ guidance was “in clear excess” of the agency’s authority, vacating parts of the policy that added an obligation for providers to protect users from technology that connected their IP addresses. The judge disagreed with HHS that an IP address constitutes identifying information, a facet of the guidance that became central to plaintiffs’ attack on the agency’s pixel-tracking policy.

“This ruling actually did not change much,” said Iliana Peters, shareholder at Polsinelli PC. “Anything else like appointment-scheduling tools, website-mapping technology, any pixels—anything like that is arguably still an issue.”

HHS declined to comment on the decision.

Active Litigation

The reversal comes as hospitals and other health-care entities face a wave of class actions claiming their use of tracking technologies reveals sensitive patient information such as specific treatments and appointment details to third-parties, including advertising companies like Meta Platforms Inc. and Alphabet Inc. Many of those cases—against the likes of Cedars-Sinai Health System and MedStar Health Inc.—don’t involve just IP addresses, but also mapping technologies like pixel tracking software.

Those kinds of cases aren’t going away, said Peters, who said her health-care clients are still receiving demand letters related to pixel-tracking cases since the June ruling. Plaintiffs may have a higher bar to meet in instances where cases rest solely on scanning for third-party cookies that use IP, she said.

Prior to the HHS bulletin, there was no direct federal guidance on the use of these technologies.

HHS’ office for Civil Rights and the Federal Trade Commission in July 2023 sent letters to 129 hospitals and care providers alerting them to “serious privacy and security risks” related to their use of online trackers. At least nine of those 129 entities, including Duke University Health System, were accused of HIPAA violations by their tracker use, according to a Bloomberg Law court docket analysis. Six are now consolidated or have been remanded to state courts.

It’s also unlikely that the court opinion will slow down any ongoing HHS and FTC investigations into health service entities using the tracker, the attorneys said.

Both Peters and Sherman also noted that states like Washington, which has its own health data privacy law, will continue to play a big role in enforcement.

AHA Win

Although legal complications are sure to follow, the plaintiffs in American Hospital Association et al v. Becerra still see HHS’s withdrawal as a win for health-care providers.

“Now that the Bulletin’s illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate health care information with the communities they serve without the fear of federal civil and criminal penalties,” American Hospital Association general counsel Chad Golder wrote in a statement.

Whether or not the ruling will affect HHS’s future guidance remains to be seen.

“The court’s decision should be a meaningful part of how OCR looks at these issues generally,” Kirk Nahra, partner at WilmerHale, wrote in an email. " I would hope that it would encourage rational and usable guidance going forward, and a reasonable approach for any enforcement that looks at an entity’s overall approach on these issues as well as any actual impact.”