By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The pieces to the puzzle that is the use of tracking technology in healthcare continue to accumulate. The most recent piece was a summary judgment decision from the Northern District of Texas stemming from a lawsuit filed by the American Hospital Association along with a couple of hospitals. The suit challenged guidance published by the HHS Office for Civil Rights trying to tamp down on the use of tracking technology. As soon as the original guidance was issued, concerns arose about the scope of the guidance, which sparked challenges not just in public discourse, but in the courts as well.
The Decision
Cutting to the chase first, the court granted the AHA’s request for declaratory judgment and granted the AHA’s request for vacatur. The court denied the request for a permanent injunction. What do all of those holdings mean? In plain language, the portion of the guidance asserting that the combination of an IP address with a visit to an unauthorized public website (UPW) with information about a specific health condition or clinician (the Proscribed Combination) constitutes individually identifiable health information (IIHI) was a new legal obligation that HHS did not have the authority to establish in a guidance document. The second part of the favorable ruling was to vacate the guidance around the Proscribed Combination, which means that part of the guidance is removed.
Case Background
For a bit of a refresher, the lawsuit focused on guidance issued by OCR (referenced as HHS throughout the decision because that is the parent Department) that came about after reports revealed extensive use of tracking technology by healthcare entities on websites and mobile apps. The tracking technology collected information about users interacting with the webpages or other locations where the tools were embedded. The information collected could vary depending on the specific configurations. The technology was deployed in a variety of locations, including general public pages and pages behind a login.
OCR focused on a couple of elements of data collected by the tracking technology. In a bulletin initially posted in December 2022 (the Original Bulletin), OCR asserted that the combination of an individual’s IP address and a visit to a UPW with information about a specific healthcare condition or clinician was enough to trigger privacy obligations under HIPAA. The plaintiffs in the suit viewed the interpretation as imposing an entirely new obligation while OCR claimed it was just a reminder of what should have been happening all along.
Not much before the HHS has to submit its brief on the motion for summary judgment, OCR updated the guidance bulletin in March 2024 (the Revised Bulletin). Due to the timing, the Revised Bulletin became the operative document for the court’s analysis. Boiling it down, the Revised Bulletin tried to soften the inflexible stance taken in the Original Bulletin but did so by introducing a subjective element that was arguably completely unknowable. Check out the earlier blog post Slightly Refined Tracking Tech Guidance for more detail.
The Court’s Analysis
While the final holding of the Court was to remove the Proscribed Combination, the actual decision walks through a few different analyses that are necessary to get to that point. Before getting into the Court’s analysis, it is important to point out why the Proscribed Combination is the focus. As explained by the Court, the Proscribed Combination was the focal point of the parties because that portion of the Bulletins represented a new interpretation and was used to (allegedly) impose new requirements on entities subject to HIPAA compliance obligations.
The first question was whether the Court could even rule on the issue at this point in time. HHS tried to argue that the Revised Bulletin did not constitute final agency action, which is a technical way of asserting that HHS did not engage in new rulemaking and otherwise run through all of the processes called for by the Administrative Procedures Act. HHS based its argument on its view that the Revised Bulletin neither represented the consummation of a decision-making process nor determined a right or obligation for entities subject to the Revised Bulletin. Given the final ruling, the Court disagreed with HHS on the reality of the situation.
The Court found the Revised Bulletin (and really both Bulletins) to represent a final view of HHS on the point of whether the Proscribed Combination constituted individually identifiable health information, which in turn triggered the need to comply with HIPAA for that information. HHS tried to assert that the viewpoints expressed by the Proscribed Combination did not contain a definitive interpretation and just helped explain how to best interpret certain scenarios. Alternatively, HHS said that if there were concerns about the interpretation of the Proscribed Combination, then judicial review could happen during any challenge to an enforcement action. The Court didn’t buy either argument. The Revised Bulletin was viewed as setting a clear and final viewpoint.
Just because the Revised Bulletin had a final statement about the Proscribed Combination the assessment wasn’t over. The Court then had to determine whether the statement about the Proscribed Combination imposed new obligations on subject entities. Such a scenario did arise because of the Proscribed Combination because privacy protections now had to be applied to a combination of information that would not necessarily be obvious as individually identifiable. Since the Proscribed Combination was subject to HIPAA, a cascade of actions then applied, which would completely change operations.
HHS placed a lot of emphasis on the Revised Bulletin introducing a subjective assessment, but the Court found that argument to be more style over substance. The purportedly subjective component was saying that the Proscribed Combination was only individually identifiable health information if the visitor had the intent of seeking the information for a reason covered by HIPAA. However, the Revised Bulletin said it would be prudent to ensure compliance by treating all Proscribed Combinations as subject to HIPAA in order to avoid a violation. In reality, that meant treating all Proscribed Combinations as subject to HIPAA, which meant a new obligation.
Finally, the Court examined whether the Revised Bulletin imposed a new legal obligation. Given the previous analysis, the answer was clearly yes. Despite labeling the Revised Bulletin as a guidance document and informational only, but clearly tells subject entities how to act with respect to the Proscribed Combination. The interpretation also clearly shows how HHS would enforce a situation and binds OCR to following that course of action. Those factors all show that the Proscribed Combination in the Revised Bulletin was a new legal obligation that would be enforced as written.
The second question was whether HHS had the authority to promulgate the Proscribed Combination. The Court determined that HHS overstepped its authority when stating that the Proscribed Combination constituted individually identifiable health information. The Court honed in on the “relates to” requirement in the definition. The subjective element introduced in the Revised Bulletin only confused that related to point because subject entities were told to treat all Proscribed Combinations as individually identifiable health information even though it would arguably be impossible to ever determine if the right subjective intent existed.
Absent an ability to know the subjective intent of the user, relying upon an inference is not enough. Arguably any situation could be inferred to result in the Proscribed Combination qualifying as individually identifiable health information. However, an inference, no matter how reasonable, does not align with the clear language of the statutory text.
All of those factors supported the Court’s finding that the Proscribed Conduct represented an overstep of authority by HHS.
The End Result
The end result of the Court’s action was to remove the Proscribed Combination statement from the Revised Bulletin. OCR has already placed that disclaimer at the beginning of the document. That still leaves a lot of other information from the Revised Bulletin that does offer valid guidance and direction for entities using tracking technology in healthcare. Ignore the rest at your own compliance peril.
What is the rest? The general need to ensure that protected health information is not improperly collected and shared with third parties. If a covered entity works with another business that interacts with PHI for the covered entity, then it is a business associate and the attendant obligations apply.
What’s Next for Tracking Technology
As already suggested, one of the immediate steps is to know and understand the nature of the relationship between a covered entity and the entity providing tracking technology. Just because the Proscribed Combination has been removed from the Revised Bulletin, it doesn’t mean HIPAA is not still a concern. There are still many ways that individually identifiable health information can be clearly collected and compliance obligations required.
Leaving aside the more obvious ways that HIPAA can apply, one question is whether HHS will pursue more formal rulemaking to “officially” broaden the way in which individually identifiable health information is interpreted. The Court’s decision hinted that even formal rulemaking may not solve the issue since HHS misapplied terms from the definition of individually identifiable health information. The Court clearly took issue with some of the relational jumps made by HHS, which jumps would not be solved through a normal rulemaking process.
The other unknown is how the Supreme Court’s recent decision to move away from the Chevron Doctrine (the approach of giving agency’s deference in interpreting laws to enact regulations under the agency’s purview) will impact agency action. If suits can more readily challenge an agency’s rule more uncertainty could follow. That is too much speculation for the moment, but certainly a concern to track.
Ultimately, HHS and OCR will need to determine if more formal action is needed to address the fallout from the widespread use of tracking technology by healthcare organizations. This is unlikely to be the end of the story though.
This article was originally published on The Pulse blog and is republished here with permission.