Federal Court Invalidates Key Part of HHS OCR Bulletin Regarding Application of HIPAA to Online Tracking Technologies (2024)

BACKGROUND

HIPAA governs regulated entities’ use and disclosure of PHI, which is a broad subset of individually identifiable health information (IIHI). IIHI is defined as information that relates to the past, present or future physical or mental health or condition of, the provision of health care to, or the past, present or future payment for the provision of health care to an individual and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Cookies, pixels and other online tracking technologies might collect and disclose, based on their configurations and placement, information about an individual, including actual or potentially implied health information. In the Bulletin, OCR took the position that data collected by online tracking technologies regarding users on the unauthenticated webpages of regulated entities may constitute PHI if the information includes any individual identifiers on the list specifically enumerated in the HIPAA Privacy Rule’s de-identification “safe harbor,” such as an IP address.

The Bulletin, first published on December 1, 2022, garnered significant attention, and criticism, in the healthcare industry. Criticism was particularly acute with respect to OCR’s guidance that individual identifiers commonly captured by online tracking technologies, such as IP address and geographic location, connected with an individual’s visit to an unauthenticated webpage might constitute PHI. The AHA filed the above-referenced lawsuit in the US District Court for the Northern District of Texas, arguing that OCR exceeded its authority in restricting the use of common tracking technologies on public-facing webpages – specifically concerning the Proscribed Combination.

On March 18, 2024, OCR updated the Bulletin in an apparent effort to acknowledge and respond to criticism that the Bulletin was overbroad, especially with respect to whether data collected on unauthenticated webpages is PHI. The updates included additional examples of where an individual’s visit to an unauthenticated webpage may or may not be indicative of health information based on the intent or purpose of the individual’s visit to the webpage. For example, under OCR’s Bulletin update, collecting an IP address when a user visits a hospital website’s page on a particular health condition would be PHI if the user was looking for information regarding the user’s own health condition, but it would not be PHI if the same user was instead visiting the page to conduct professional research. Notwithstanding these updates to the Bulletin, the court granted AHA’s motion in part.

THE RULING

The court ruled that OCR exceeded its authority in taking the position that HIPAA obligations attach where an online technology merely connects (1) an IP address with (2) a visit to an unauthenticated public webpage addressing specific health conditions or healthcare providers – the so-called “Proscribed Combination.”

Interestingly, the court observed that OCR exacerbated the conundrum for HIPAA-regulated entities in its March 18, 2024, update to the Bulletin, which “clarified” that each website user’s subjective intent and purpose would be a key factor in determining whether information collected constitutes PHI. The court wrote: “A user’s intent in visiting a [unauthenticated public webpage] is unknowable. Thus, because HIPAA doesn’t mandate clairvoyance, covered entities must act as if the Original Bulletin controls, i.e., as if the Proscribed Combination is per se IIHI.”

Broadly summarized, the court observed that while HIPAA is “extraordinarily expansive” and “Congress gave HHS broad authority to promulgate rules and regulations to effectuate its mandates,” “[HHS’s] authority isn’t absolute, and the Proscribe Combination goes too far.” Interestingly, the court also appeared to raise, but did not entirely resolve or rely on for its opinion, the question of whether an IP address alone is a sufficiently unique identifier to render a data set individually identifiable.

IMPLICATIONS

Since the ruling invalidated the Bulletin only with respect to the Proscribed Combination and not in its entirety, it is not clear whether OCR will accept the court’s reasoning and apply it to other combinations of information that do not directly identify a user of a HIPAA-regulated entity’s website and/or reveal the user’s subjective intent or purpose on the website. For example, the ruling may not be extended to information that (i) is more individually identifying than mere IP address, (ii) is correlated to authenticated webpages, and/or (iii) is correlated to unauthenticated webpages that reflect more direct indicia of health information than merely addressing specific health conditions or healthcare providers. As a result, before updating their digital marketing plans or other tracking technology use cases, HIPAA-regulated entities should consider waiting to see whether OCR retains the Bulletin in its present form and appeals the court’s ruling or modifies the Bulletin a second time to apply the court’s reasoning to information combinations beyond the Proscribed Combination.

Our previous On the Subject regarding the updated Bulletin included recommended next steps in light of the Bulletin, which are generally still applicable. However, the evaluation of whether information collected through tracking technologies is PHI should consider the court’s ruling as well as whether the court’s reasoning should be applied beyond the Proscribed Combination.

HIPAA-regulated entities that are under investigation by OCR due to their deployment of online tracking technologies, disclosures of information to tracking technology vendors or breaches of unsecured PHI should reassess defense strategies and positions in light of the ruling. Likewise, entities that are assessing whether disclosures to tracking technology vendors are breaches of PHI should consider the court’s reasoning.

If the remaining elements of the Bulletin are retained, they remain important indicators of OCR’s enforcement positions and priorities for HIPAA-regulated entities. The remaining elements include:

What Constitutes IIHI in Context Generally

• Information disclosed to a tracking technology vendor that includes (i) information that the individual types or selects when the individual uses a regulated entity’s website or mobile app and (ii) an individual’s medical record number, home or email address, date of appointment, IP address, geographic location, device ID, other unique identifying code and/or any other individual identifier on the list specifically enumerated in the HIPAA Privacy Rule’s de-identification “safe harbor” may meet the definition of IIHI, which is a necessary pre-condition for information to meet the definition of PHI.
• IIHI collected on a regulated entity’s website or mobile app generally may be PHI, even if the individual does not have an existing relationship with the regulated entity.

Tracking on Authenticated Webpages

• Tracking technologies on a regulated entity’s user-authenticated webpages are generally considered to have access to PHI. (An authenticated webpage is one that requires a log-in/password, account or other step that recognizes a particular user, such as a patient portal.) Importantly, the court’s opinion did not invalidate the Bulletin as it pertains to IP addresses in combination with visits to authenticated webpages.
• A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.
• Tracking technology vendors are business associates if they create, receive, maintain or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circ*mstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.

Tracking on Unauthenticated Webpages

• Tracking technologies on a regulated entity’s unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool without entering credentials may have access to PHI in certain circ*mstances. For example, tracking technologies might collect an individual’s email address or reason for seeking healthcare typed or selected by an individual when the individual visits a regulated entity’s webpage and makes an appointment with a healthcare provider or enters symptoms in an online tool to obtain a health analysis. In this example, according to OCR, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.
• The login page of a regulated entity’s patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages. However, if the individual enters credential information on that login webpage or enters registration information (e.g., name, email address) on that registration page, such information meets the definition of IIHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login information or registration information, that information is a disclosure of PHI and is subject to the HIPAA Rules.

Tracking Within Mobile Apps

• Mobile apps that regulated entities offer to individuals (e.g., to help manage their health information, pay bills) collect a variety of information provided by the app user, including information typed or uploaded into the app as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID or advertising ID. Such information collected by a regulated entity’s mobile app generally is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. For example, a patient might use a health clinic’s diabetes management mobile app to track health information such as glucose levels and insulin doses. In this example, the transmission of information to a tracking technology vendor as a result of using such app would be a disclosure of PHI because the individual’s use of the app is related to an individual’s health condition (i.e., diabetes) and that, together with any individually identifying information (e.g., name, mobile number, IP address, device ID), meets the definition of IIHI.

Disclosures for Marketing Purposes

• Disclosures of PHI to tracking technology vendors for prohibited marketing purposes without individuals’ HIPAA-compliant authorizations would constitute impermissible disclosures.

While the case before the court, and the court’s decision, addressed only the Proscribed Combination – i.e., the collection of an IP address when a user browses a webpage concerning a specific medical condition or provider – the decision’s logic extends to any circ*mstance in which a user’s intent or purpose in visiting a webpage cannot be known with certainty. However, in circ*mstances where the user’s intent or purpose to obtain information about, or care regarding, the user’s own health is clear to the website owner/operator (e.g., activity within an authenticated patient portal, activity on other webpages after the user provides information about the purpose of the visit through free text fields or drop-down menus), the court’s opinion allows for the possibility that tracked data would constitute PHI.

It is important to note that the court’s opinion only addresses a subset of HIPAA issues regarding tracking technologies. It does not have any impact on the FTC’s regulation of or enforcement activity with respect to such technologies. Nor will the court’s opinion preclude private putative class action litigation in which plaintiffs allege wiretapping/eavesdropping violations from tracking technologies.

If you have questions about how this ruling affects your organization, contact your regular McDermott lawyer or any of the authors.