Texas District Court Decision Complicates OCR's HIPAA Bulletin on Online Tracking Technologies
On June 20, 2024, the U.S. District Court for the Northern District of Texas ordered the Department of Health and Human Services, Office for Civil Rights (OCR), to vacate its guidance restricting HIPAA-covered entities’ use of third-party online tracking technologies. The court found that OCR overstepped its authority by broadening the definition of protected health information (PHI) under HIPAA.
At present, this ruling is limited to organizations in the Northern District of Texas, and whether the ruling will stand is unclear, given the high likelihood of appeal. Organizations subject to HIPAA should continue to monitor the developments of this and other cases to inform their compliance posture, and understand the reach of this ruling as well as that of OCR.
How Did We Get Here?
The conflict began when OCR issued a bulletin in December 2022, extending HIPAA's reach to online tracking technologies, such as website advertising and analytics tools. This move aimed to include cookies and tracking scripts as part of protected health information if linked to health data. Some in the healthcare sector challenged this bulletin, arguing it imposed excessive restrictions and burdens.
The Court’s Ruling
The Texas court ruled that OCR exceeded its authority with this guidance, ordering it to be vacated. However, the court did not issue a permanent injunction, leaving the door open for OCR to enforce its interpretation in other jurisdictions outside of the reach of this Northern Texas court. Given OCR’s posture on this matter, it is likely they will continue to pursue the enforcement of its rules, and also appeal this Northern Texas court ruling.
Implications Moving Forward
Despite this setback for OCR, organizations subject to HIPAA must remain cautious. The decision is likely to be appealed, and the FTC's laws and state privacy regulations still apply to many of HIPAA-covered organizations, which continue to monitor legal developments and facilitate compliance with all applicable privacy laws.
Case Summary
In December 2022, OCR issued a bulletin expanding HIPAA's definition of individually identifiable health information (IIHI) to include data collected from unauthenticated public websites. This meant that IP addresses linked to health-related website visits were considered PHI, restricting the use of third-party analytics tools. Following this, OCR and the FTC sent a joint letter in July 2023 to numerous healthcare entities, warning about privacy risks associated with online tracking technologies.
The FTC also reminded non-HIPAA-covered companies of their duty to protect personal health information. Facing new obligations, the plaintiffs, including the American Hospital Association, sued to stop enforcement of the bulletin. In March 2024, OCR revised the bulletin but maintained its stance against combining user data with health information. The Texas court ultimately vacated the guidance for organizations within its jurisdiction, deeming it an overreach of OCR’s authority.
Court’s Decision and Reasoning
The court held that OCR's rule on the "Proscribed Combination" was unlawful, vacating it due to OCR's lack of authority under HIPAA. However, the court did not grant a permanent injunction against OCR's enforcement, suggesting that vacating the guidance was the most equitable remedy. The ruling remains subject to appeal.
Key Takeaways and Possible Next Steps
- Future OCR Actions Unclear: OCR is likely to attempt to enforce its interpretation of IIHI in other circuits despite this ruling.
- Potential Appeals or Revisions: OCR is likely to appeal the decision or revise its bulletin.
- FTC and State Privacy Laws Still Apply: Companies must still comply with FTC regulations and state privacy laws, which continue to govern the collection and use of PHI. Specifically, under Section 5 of the FTC Act and the HBNR, the FTC has recently undertaken enforcement actions against GoodRx, BetterHelp, and Monument and Cerebral for disclosing sensitive health information to third parties. Additionally, state privacy laws also regulate the collection of sensitive personal information, which may include the collection of health information through unauthenticated public webpages, for example, Washington's My Health My Data Act.
In summary, while OCR's guidance has currently been vacated for organizations subject to the Northern Texas court’s purview, the decision leaves significant regulatory questions unresolved, necessitating careful compliance by healthcare entities with existing privacy laws.
Michael is an experienced C-suite executive who has spent his career guiding organizations through an ever-evolving regulatory landscape. After starting his career at Ernst & Young, Michael worked as a CFO with large, global organizations before co-founding Clym to assist organizations of all sizes with their website regulatory compliance needs.
Learn More →