AHA Sues Feds Over Privacy Warning About Web Tracker Use

The American Hospital Association, along with three other organizations, has filed a federal lawsuit seeking to have the U.S. Department of Health and Human Services withdraw guidance issued last year warning that the use of online trackers by hospitals potentially violates HIPAA.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

The lawsuit was filed against Xavier Becerra, in his capacity as secretary of HHS, and Melanie Fontes Rainer, in her role as director of HHS’ Office for Civil Rights, in the U.S. District Court
for the Northern District Of Texas, Fort Worth Division on Nov. 2 by the AHA and three other plaintiffs – the Texas Hospital Association, United Regional Health Care System, and Texas Health Resources.

Texas Health Resources, a nonprofit health system with 29 hospitals and dozens of other medical care facilities in northern Texas, was among 130 hospitals and telehealth providers to receive a letter from HHS OCR and the Federal Trade Commission in July warning that the providers’ use of web trackers in websites and mobile apps was in potential violation of HIPAA and FTC regulations (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).

The FTC and HHS sent the warning letters following guidance HHS OCR issued last December stating that hospitals and other HIPAA-covered entities are not permitted to use tracking technologies in a manner that results in impermissible disclosures of protected health information – including patients’ IP addresses and locations – to tracking technology vendors and other third parties (see: HHS Web Trackers in Patient Portals Violate HIPAA).

Among other compliance measures, covered entities that use web tracker tools must have those technology vendors sign HIPAA business associate agreements.

Agency Warnings

HHS OCR officials in recent months have warned that the agency is investigating regulated entities whose use of web tracking violates HIPAA and that the organizations could face potential enforcement actions (see: Why HHS Regulators Are Heavily Scrutinizing Web Tracker Use).

The AHA’s lawsuit against HHS is the group’s latest move to oppose the federal guidance on web tracking. The AHA in May sent a letter to HHS OCR’s Fontes Rainer urging the agency to immediately amend or rescind its online tracking guidance, arguing that regulators had “erred” by treating all IP addresses collected by these technologies as protected health information under HIPAA (see: AHA Tells HHS to ‘Amend or Suspend’ Web Tracking Guidance).

In September, the AHA in a letter to Sen. Bill Cassidy, R-La., in response to the lawmaker’s request for information about ways to improve health data privacy, told Congress it should have HHS OCR “withdraw immediately” its bulletin about web trackers (see: Hospital Lobbyists Press Senator on Online Tracking Limits).

Now, the AHA’s lawsuit not only wants to have HHS OCR’s web tracker guidance repealed, but the group also seeks a court ruling saying that the “proscribed combination” of a patient’s IP address or email address with certain other identifiers does not constitute “individually identifiable health information” that is HIPAA-protected.

The AHA also seeks an injunction to stop OCR from taking enforcement actions related to its web tracking guidance against AHA member hospitals, as well as members of the other plaintiff organizations named in the lawsuit.

The lawsuit alleges, among other claims, that HHS OCR “exceeded its authority” under HIPAA and the First Amendment in its guidance stating that IP addresses combined with other identifiers constitutes HIPAA-covered IIHI.

“Given that the bulletin’s rule at the very least raises serious First Amendment concerns, the IIHI definition must be construed to avoid those concerns,” the lawsuit alleges.

The AHA in a public statement called the HHS’s guidance a “counterproductive rule that has upended hospitals’ and health systems’ ability to share healthcare information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.”

HHS did not immediately respond to Information Security Media Group’s request for comment on the lawsuit.

‘Big Hill to Climb’

Regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the litigation against HHS, said AHA’s lawsuit “has a big hill to climb.”

For starters, “the AHA must convince the court that OCR’s bulletin is a ‘Rule’ defined by the Administrative Procedure Act or the lawsuit faces dismissal for lack of standing,” he said. “Characterizing the bulletin as a ‘Rule’ seems like a stretch. On its face, the bulletin simply explains how tracking technologies may violate the HIPAA Privacy Rule that was duly made and has been in effect since 2003,” he said.

“The legal basis of their suit is sure to be attacked, and whether it will hold up remains to be seen.”

Despite the scrutiny of regulators at HHS and FTC, the AHA’s complaint “admits plaintiffs want to collect and disclose consumer email and IP addresses to third-party vendors,” Hales said.

The complaint claims that the hospitals and members of the other plaintiff associations “wish” to use online technologies on unauthenticated public webpages to collect and disclose the “proscribed combination” of identifiers to third-party technology vendors but are refraining from doing so in various ways based on HHS’s threat to enforce the guidance.

“The bulletin stands in the way of using these valuable tools, in part because many third-party technology vendors refuse to enter into a business associate agreement,” the lawsuit complaint alleges.

But Hales said that argument might also ultimately hurt the AHA and other plaintiffs. “That looks to me like a judicial admission that will be of interest to the FTC and may come back to haunt the hospital system plaintiffs.”