July 02, 2024
On June 20, 2024, the US District Court for the Northern District of Texas ruled that guidance issued by the HHS Office for Civil Rights (OCR) on the use of third-party online tracking technologies by HIPAA-regulated entities, which include covered entities (such as healthcare providers) and business associates, was unlawful and that OCR overstepped its authority when it issued the guidance. The district court invalidated OCR’s guidance that individually identifiable health information (IIHI), a component of protected health information under HIPAA, includes the connection of a person’s IP address with their visit to certain unauthenticated public webpages.
HIPAA defines IIHI as information that (1) “relates to” an individual’s healthcare and (2) “ identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” Previously, OCR expressed concerns that IIHI collected on a regulated entity's (e.g., hospital’s) website or mobile app was not adequately protected due to third-party tracking technologies. To address these concerns, OCR issued a bulletin in December 2022 and later revised it in March 2024.
However, in this case, the plaintiff hospital groups asserted that OCR had exceeded its authority under HIPAA in promulgating an expansive definition of IIHI under the bulletin. The district court agreed with the plaintiffs and held that the provision at issue in the bulletin could not be aligned with HIPAA’s definition of IIHI under two statutory conditions.
First, the district court explained that visitors accessing unauthenticated public webpages is not information that “relates to” an individual’s health, receipt of healthcare, or payment for healthcare because covered entities cannot know that visitors are accessing certain webpages for the purpose of seeking information about their own health conditions, as opposed to some other probable purpose, such as accessing the page for academic research. Second, the district court determined that visitors accessing unauthenticated public webpages does not and cannot identify or provide a reasonable basis for identifying health information about a specific individual as required by the IIHI definition. Because of these reasons, the district court declared the OCR’s guidance unlawful and vacated the elements of the bulletin.
Though this case primarily impacts providers and third-party online tracking technology vendors, employers should be aware of this development and review their HIPAA obligations with their advisers and outside counsel when developing a comprehensive strategy for adhering to HIPAA's privacy, security, and breach response requirements.
Opinion and Order
Final Judgment
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up