On August 29, 2024, the Office for Civil Rights of the United States Department of Health and Human Services (“HHS-OCR”) withdrew its appeal of an order by the United States District Court for the Northern District of Texas’ (“District Court”) declaring unlawful and vacating a portion of an HHS-OCR Bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”  See Am. Hosp. Ass’n v. Becerra, No. 4:23-cv-1110 (N.D. Tex. June 20, 2024).  At its core, the District Court declared that a portion of the HHS-OCR Bulletin was an overstep of the agency’s authority.  While many in the health care industry may breathe a sigh of relief given the proliferation of class action lawsuits focused on tracking technologies and the evolving maze of regulation impacting the industry generally, it is unclear whether HHS-OCR will continue its newfound attempts to regulate the use of tracking technologies.  Regardless, vigilance and caution around website tracking should continue to be exercised.

In a prior alert, we explained how the HHS-OCR Bulletin highlighted the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what HHS-OCR described as “script[s] or code[s] on a website or mobile app used to gather information about users as they interact with the website or mobile app”; these scripts or codes can then analyzed by website owners, app operators, or third parties to create user profiles or to garner insights into users’ online activities.  The HHS-OCR Bulletin reminded covered entities about their specific obligation to protect “individually identifiable health information” (“IIHI”), a subset of protected health information (“PHI”) that “relates to” an individual’s health care and either “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.”  Examples of IIHI may include an individual’s IP address, device ID or any other unique online or device identifier, each of which is information typically collected by online tracking technologies.

The HHS-OCR Bulletin explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”). In HHS-OCR’s view, IIHI may be collected where a user visits a covered entity’s public webpage concerning a particular health condition, and the online tracking technologies placed on the webpage collects the user’s IP address; and “IIHI collected on a covered entity’s website or mobile app generally is PHI.”  Covered entities viewed the guidance set forth in the HHS-OCR Bulletin and, more specifically, the Proscribed Combination described above, as a new and potentially unlawful obligation—“shoehorn[ing] additional information into the IIHI definition.”  Accordingly, a lawsuit was filed against HHS-OCR.

Specifically, the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (collectively, the “Hospitals”) asked the District Court for the Northern District of Texas to declare the requirement relating to the “Proscribed Combination” unlawful, to vacate it, and to permanently enjoin its enforcement because it was “flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy.”  Id., Doc. 1, “Complaint” (filed Nov. 2, 2023).  The District Court took up these arguments on cross-motions for summary judgment and, on June 20, 2024, denied HHS-OCR’s motion but granted in part and denied in part the Hospitals’ motion.  Specifically, the District Court agreed with the Hospitals that the HHS-OCR Bulletin “improperly creat[ed] substantive legal obligations for covered entities,” reasoning that the HHS-OCR Bulletin was a final agency action subject to judicial review and that “the Proscribed Combination facially violate[d] HIPAA’s unambiguous definition of IIHI.”  And, while the District Court disagreed with the Hospitals that permanent injunction was appropriate because the Hospitals failed to demonstrate that they have suffered an “irreparable injury,” the District Court ordered vacatur, citing the United States Court of Appeals for the Fifth Circuit’s (“Fifth Circuit”) ordinary practice with respect to “unlawful agency action.”

HHS-OCR appealed the District Court’s order to the Fifth Circuit; however, ten days later, and with consent of the Hospitals, HHS-OCR submitted a motion to voluntarily dismiss its appeal pursuant to Federal Rule of Appellate Procedure 42(b).  As of the date of this alert, HHS-OCR did not, and still has not, provided any comment about the District Court’s order or its appeal withdrawal—leaving the health care industry wondering about HHS-OCR’s next move.  Because the District Court only declared as unlawful the portion of the HHS-OCR Bulletin characterized as the “Proscribed Combination”, HHS-OCR may seek to re-structure such Bulletin to reincorporate the spirit of the Proscribed Combination.  Alternatively, HHS-OCR may seek to rescind its Bulletin entirely and, instead, promulgate a proposed rule consistent with the Administrative Procedure Act—involving a solicitation for and review of public comment before finalizing.  Such proposed rule could include an updated definition of IIHI for purposes of illustrating the importance of regulating HIPAA covered entities using online tracking technologies.

As showcased by HHS-OCR’s novel interpretation and application of HIPAA, and the twists and turns that the various court challenges have taken, health care industry participants should remain apprised of new guidance, views, or positions taken by the numerous federal and state agencies that regulate, in various capacities, the health care industry.  Further, given the ongoing wave of class action lawsuits focused on website tracking technologies under state wiretapping and telecommunications laws (See Latest Wave of Wiretap Class Actions Continues Despite Dismissals as Plaintiffs Try New Approaches and Surge of Privacy Class Actions in Arizona Targeting Email Pixel Tracking), vigilance and caution around implementation of website tracking should continue to be exercised.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew J. Westbrook Matthew J. Westbrook

Matt Westbrook is an associate in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others. Matt…

Matt Westbrook is an associate in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others. Matt specifically provides advice on fraud and abuse matters arising under the Federal False Claims Act (FCA), Civil Monetary Penalties Law, Federal Anti-Kickback Statute (AKS), and Physician Self-Referral Law (Stark Law), as well as on the regulations promulgated by the Drug Enforcement Administration (DEA) and the Department of Health and Human Services, including the Office of Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS), and Food and Drug Administration (FDA).

Before joining the Firm, Matt served as senior counsel in OIG’s Administrative and Civil Remedies Branch. At OIG, Matt was responsible for determining whether to impose administrative sanctions, including civil money penalties and Federal health care program exclusions, against health care providers and suppliers, and whether to impose civil money penalties on hospitals and physicians in connection with matters referred to CMS under the Emergency Medical Treatment and Labor Act (EMTALA). During his tenure, Matt also litigated exclusion appeals before administrative law judges and appellate panels of the Departmental Appeals Board; advised United States Attorney’s Offices on exclusions appealed to Federal district courts; resolved voluntary self-disclosures submitted by providers and grant and contract recipients; and participated in the negotiations and settlements of FCA matters by the Department of Justice involving the AKS, Stark Law, CMS reimbursement issues, and DEA and FDA compliance issues. In connection with certain FCA resolutions, Matt also negotiated and monitored corporate integrity agreements.

On the Florida junior circuit and in college, Matt was a competitive tennis player. Matt played on the varsity team and was captain his senior year at Rhodes College, earning ITA Division III and SCAC All-Academic Honor Roll awards his sophomore, junior, and senior years. Matt is an active member of the American Health Law Association (AHLA) and currently serves as a Vice Chair of AHLA’s Fraud and Abuse Practice Group.

Photo of Jonian Rafti Jonian Rafti

Jonian Rafti is an associate in the Corporate Department and a member of the Health Care Group. Since law school, his practice has exclusively focused on representing a variety of clients in the health care sector, including hospitals and health systems, physician organizations…

Jonian Rafti is an associate in the Corporate Department and a member of the Health Care Group. Since law school, his practice has exclusively focused on representing a variety of clients in the health care sector, including hospitals and health systems, physician organizations, telehealth platforms, and digital health companies.

Jonian provides legal advice on a range of regulatory, corporate, and transactional matters governing the practice of medicine and the health care industry, including: federal and state fraud and abuse compliance; HIPAA; scope of practice limitations; telehealth encounter requirements; practice expansions; and general corporate and business planning.

Jonian is a Certified Information Privacy Professional (CIPP/US). As a law student, he worked at the Charities Bureau of the New York State Office of the Attorney General on matters affecting state not-for-profit corporations.

Photo of Leslie Shanklin Leslie Shanklin

Leslie Shanklin is a partner in the Corporate Department, co-head of the Privacy & Cybersecurity Group and a member of the of the Technology, Media & Telecommunications group.

Leslie’s practice focuses on privacy and data security, delivering comprehensive expertise around data-related risk and…

Leslie Shanklin is a partner in the Corporate Department, co-head of the Privacy & Cybersecurity Group and a member of the of the Technology, Media & Telecommunications group.

Leslie’s practice focuses on privacy and data security, delivering comprehensive expertise around data-related risk and compliance. Leslie provides pragmatic, strategic and tech-savvy legal counsel to clients seeking to realize the essential value of data to their businesses while effectively managing risk and preserving trust. Leslie draws from deep legal, practical and technical expertise gained from leading global privacy teams and operations for multinational companies.

Leslie’s experience includes advising on the legal and risk aspects of data strategy, building and operationalizing data protection compliance programs in all regions of the world, providing strategic legal counsel around data privacy and security issues in commercial transactions, advising on legal aspects of information security risk, compliance and incident response, and advising on federal, state and international regulatory enforcement actions.

Leslie advises clients with a global lens, helping clients craft nimble, risk-based, forward-looking approaches to data management in the rapidly-evolving US and international privacy and information security legal landscape, including:

  • Federal laws such as Section 5 of the FTC Act and FTC rules and guidance, COPPA, VPPA, TCPA, and HIPAA
  • State laws such as the California Consumer Privacy Act (CCPA including CPRA amendments) and the California Medical Information Act (CMIA), as well as various existing and evolving laws in other US states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Montana (MCDPA) and Washington (My Health My Data Act)
  • International law and guidance such as the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, the UK Data Protection Act, Brazil’s General Data Protection Law (LGPD), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Leslie is a Certified Information Privacy Professional in the United States (CIPP/US) and Europe (CIPP/E) with the International Association of Privacy Professionals (IAPP). She previously served as Co-Chair of the international Hybrid Broadcast Broadband Television (HbbTV) Association Privacy Task Force.

Prior to joining Proskauer, Leslie led global privacy teams for media and entertainment companies for over a decade and most recently served on the Privacy leadership team for Warner Bros. Discovery.