By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The so far long and tangled path for tracking technology and HIPAA in healthcare appears it will end with a whimper. It is being reported that the federal Department of Health and Human Services dropped its appeal of the decision from the United States District Court for the Northern District of Texas (the Texas Court) that vacated the arguably new interpretation of HIPAA from guidance issued by the Office for Civil Rights. By dropping the appeal, the order to vacate issued by the Texas Court will stand.
A Brief Recap
Concerns about tracking technology were first raised in late 2022 after an investigative journalism report found that Meta Pixel or other similar tools were frequently embedded on many different pages of hospital websites. The tools would capture varying forms of data about visitors and send the data back to the website host and the tool creator. Often no Business Associate Agreement or other HIPAA required protections were in place for those relationships. The first pass at discussing some of those issues was covered in this blog in January 2023.
After the proverbial cover was blown off the issue, OCR issued its first attempt at guidance around tracking technology use in December 2022. The enthusiasm was immediately quite low for the guidance with many feeling that OCR overstepped its bounds with some of the statements. In particular, the greatest amount of concern came from OCR’s apparent claim that all website visitor info would be subject to HIPAA and had to be afforded the appropriate protections.
Not surprisingly, the guidance was challenged with the charge on that front being led by the American Hospital Association. The mixture of the guidance, the challenge, and one sort of on point court decision around the same time created a lot of room for different interpretations.
Given the different points of view, many lawsuits were filed and settled while the picture remained unclear. One of those claims was brought by a state (New York) and settled between the alleged violator and the Attorney General. Arguably, an open question remains as to whether other states will keep pursuing potential actions by leaning on allegations of violating state level privacy protections without also alleging a corresponding HIPAA violation. However, the settlement did hone in on the use of tracking technology in areas requiring patient login, which is a much safer zone of being able to show potential inconsistencies with HIPAA.
Then in march 2024, OCR somewhat quietly issued a revised version of its guidance on tracking technology. The revised version came out as the Texas Court was getting closer to issuing a decision on the matter as presented to it. While OCR asserted that the revised guidance addressed the alleged problems of issuing a new interpretation without following appropriate procedure, that was just a bit of hand waving from certain perspectives. Ultimately, the revised guidance still strongly suggested that all data collected by tracking technology should be treated as subject to HIPAA and tried to force website owners to interpret the intent of a webpage visitor by actions on the webpage (something that is pretty much impossible).
With all of those pieces of the puzzle coming together, the Texas Court issued its decision to vacate key portions of OCR’s guidance in June 2024. The Texas Court determined that OCR went too far when it claimed that combining an IP address with a visit to an unauthorized public webpage constituted PHI. The Texas Court could not find support for that determination in the plain language of existing definitions in HIPAA or a basis of authority for OCR to make that change.
That was the lay of the land to this point.
The Aborted Appeal
Following the Texas Court’s decision, the next (and possibly final) question was how OCR would respond. Initially, it appeared OCR would appeal as it filed a notice of appeal. That course was reversed, as of August 29, 2024, with OCR withdrawing its notice of appeal. That means the Texas Court’s decision will stand.
Where does that leave the state of tracking technology? For now, it’s really a matter of approaching use of such technology with eyes wide open and a full appreciation of where it is deployed. Arguably, that is what should have been done all along. If the technology was understood and used appropriately, then it would be known what type of information was being collected as well as when it could considered protected health information and subject to HIPAA. All that is really merely paying attention to the details, which go to good compliance activities.
While the guidance issue may be done for the moment, it will be necessary to track whether OCR tries to formally issue any new regulations. That will then raise new questions of whether OCR is overstepping the authority granted to it under any relevant statutes and whether those decisions should be able to stand. All questions that cannot be answered right now, but will come in time.
This article was originally published on The Pulse blog and is republished here with permission.