On June 20, 2024, the U.S. District Court for the Northern District of Texas ordered the Department of Health and Human Services, Office for Civil Rights (OCR), to vacate its guidance restricting HIPAA-covered entities’ use of third-party online tracking technologies. The court found that OCR overstepped its authority by broadening the definition of protected health information (PHI) under HIPAA.
At present, this ruling is limited to organizations in the Northern District of Texas, and whether the ruling will stand is unclear, given the high likelihood of appeal. Organizations subject to HIPAA should continue to monitor the developments of this and other cases to inform their compliance posture, and understand the reach of this ruling as well as that of OCR.
The conflict began when OCR issued a bulletin in December 2022, extending HIPAA's reach to online tracking technologies, such as website advertising and analytics tools. This move aimed to include cookies and tracking scripts as part of protected health information if linked to health data. Some in the healthcare sector challenged this bulletin, arguing it imposed excessive restrictions and burdens.
The Texas court ruled that OCR exceeded its authority with this guidance, ordering it to be vacated. However, the court did not issue a permanent injunction, leaving the door open for OCR to enforce its interpretation in other jurisdictions outside of the reach of this Northern Texas court. Given OCR’s posture on this matter, it is likely they will continue to pursue the enforcement of its rules, and also appeal this Northern Texas court ruling.
Despite this setback for OCR, organizations subject to HIPAA must remain cautious. The decision is likely to be appealed, and the FTC's laws and state privacy regulations still apply to many of HIPAA-covered organizations, which continue to monitor legal developments and facilitate compliance with all applicable privacy laws.
In December 2022, OCR issued a bulletin expanding HIPAA's definition of individually identifiable health information (IIHI) to include data collected from unauthenticated public websites. This meant that IP addresses linked to health-related website visits were considered PHI, restricting the use of third-party analytics tools. Following this, OCR and the FTC sent a joint letter in July 2023 to numerous healthcare entities, warning about privacy risks associated with online tracking technologies.
The FTC also reminded non-HIPAA-covered companies of their duty to protect personal health information. Facing new obligations, the plaintiffs, including the American Hospital Association, sued to stop enforcement of the bulletin. In March 2024, OCR revised the bulletin but maintained its stance against combining user data with health information. The Texas court ultimately vacated the guidance for organizations within its jurisdiction, deeming it an overreach of OCR’s authority.
The court held that OCR's rule on the "Proscribed Combination" was unlawful, vacating it due to OCR's lack of authority under HIPAA. However, the court did not grant a permanent injunction against OCR's enforcement, suggesting that vacating the guidance was the most equitable remedy. The ruling remains subject to appeal.
In summary, while OCR's guidance has currently been vacated for organizations subject to the Northern Texas court’s purview, the decision leaves significant regulatory questions unresolved, necessitating careful compliance by healthcare entities with existing privacy laws.