On August 29, 2024, the Office for Civil Rights of the United States Department of Health and Human Services (“HHS-OCR”) withdrew its appeal of an order by the United States District Court for the Northern District of Texas’ (“District Court”) declaring unlawful and vacating a portion of an HHS-OCR Bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”  See Am. Hosp. Ass’n v. Becerra, No. 4:23-cv-1110 (N.D. Tex. June 20, 2024).  At its core, the District Court declared that a portion of the HHS-OCR Bulletin was an overstep of the agency’s authority.  While many in the health care industry may breathe a sigh of relief given the proliferation of class action lawsuits focused on tracking technologies and the evolving maze of regulation impacting the industry generally, it is unclear whether HHS-OCR will continue its newfound attempts to regulate the use of tracking technologies.  Regardless, vigilance and caution around website tracking should continue to be exercised.

In a prior alert, we explained how the HHS-OCR Bulletin highlighted the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what HHS-OCR described as “script[s] or code[s] on a website or mobile app used to gather information about users as they interact with the website or mobile app”; these scripts or codes can then analyzed by website owners, app operators, or third parties to create user profiles or to garner insights into users’ online activities.  The HHS-OCR Bulletin reminded covered entities about their specific obligation to protect “individually identifiable health information” (“IIHI”), a subset of protected health information (“PHI”) that “relates to” an individual’s health care and either “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.”  Examples of IIHI may include an individual’s IP address, device ID or any other unique online or device identifier, each of which is information typically collected by online tracking technologies.

The HHS-OCR Bulletin explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”). In HHS-OCR’s view, IIHI may be collected where a user visits a covered entity’s public webpage concerning a particular health condition, and the online tracking technologies placed on the webpage collects the user’s IP address; and “IIHI collected on a covered entity’s website or mobile app generally is PHI.”  Covered entities viewed the guidance set forth in the HHS-OCR Bulletin and, more specifically, the Proscribed Combination described above, as a new and potentially unlawful obligation—“shoehorn[ing] additional information into the IIHI definition.”  Accordingly, a lawsuit was filed against HHS-OCR.

Specifically, the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (collectively, the “Hospitals”) asked the District Court for the Northern District of Texas to declare the requirement relating to the “Proscribed Combination” unlawful, to vacate it, and to permanently enjoin its enforcement because it was “flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy.”  Id., Doc. 1, “Complaint” (filed Nov. 2, 2023).  The District Court took up these arguments on cross-motions for summary judgment and, on June 20, 2024, denied HHS-OCR’s motion but granted in part and denied in part the Hospitals’ motion.  Specifically, the District Court agreed with the Hospitals that the HHS-OCR Bulletin “improperly creat[ed] substantive legal obligations for covered entities,” reasoning that the HHS-OCR Bulletin was a final agency action subject to judicial review and that “the Proscribed Combination facially violate[d] HIPAA’s unambiguous definition of IIHI.”  And, while the District Court disagreed with the Hospitals that permanent injunction was appropriate because the Hospitals failed to demonstrate that they have suffered an “irreparable injury,” the District Court ordered vacatur, citing the United States Court of Appeals for the Fifth Circuit’s (“Fifth Circuit”) ordinary practice with respect to “unlawful agency action.”

HHS-OCR appealed the District Court’s order to the Fifth Circuit; however, ten days later, and with consent of the Hospitals, HHS-OCR submitted a motion to voluntarily dismiss its appeal pursuant to Federal Rule of Appellate Procedure 42(b).  As of the date of this alert, HHS-OCR did not, and still has not, provided any comment about the District Court’s order or its appeal withdrawal—leaving the health care industry wondering about HHS-OCR’s next move.  Because the District Court only declared as unlawful the portion of the HHS-OCR Bulletin characterized as the “Proscribed Combination”, HHS-OCR may seek to re-structure such Bulletin to reincorporate the spirit of the Proscribed Combination.  Alternatively, HHS-OCR may seek to rescind its Bulletin entirely and, instead, promulgate a proposed rule consistent with the Administrative Procedure Act—involving a solicitation for and review of public comment before finalizing.  Such proposed rule could include an updated definition of IIHI for purposes of illustrating the importance of regulating HIPAA covered entities using online tracking technologies.

As showcased by HHS-OCR’s novel interpretation and application of HIPAA, and the twists and turns that the various court challenges have taken, health care industry participants should remain apprised of new guidance, views, or positions taken by the numerous federal and state agencies that regulate, in various capacities, the health care industry.  Further, given the ongoing wave of class action lawsuits focused on website tracking technologies under state wiretapping and telecommunications laws (See Latest Wave of Wiretap Class Actions Continues Despite Dismissals as Plaintiffs Try New Approaches and Surge of Privacy Class Actions in Arizona Targeting Email Pixel Tracking), vigilance and caution around implementation of website tracking should continue to be exercised.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew J. Westbrook Matthew J. Westbrook

Matt Westbrook is an associate in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others. Matt…

Matt Westbrook is an associate in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others. Matt specifically provides advice on fraud and abuse matters arising under the Federal False Claims Act (FCA), Civil Monetary Penalties Law, Federal Anti-Kickback Statute (AKS), and Physician Self-Referral Law (Stark Law), as well as on the regulations promulgated by the Drug Enforcement Administration (DEA) and the Department of Health and Human Services, including the Office of Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS), and Food and Drug Administration (FDA).

Before joining the Firm, Matt served as senior counsel in OIG’s Administrative and Civil Remedies Branch. At OIG, Matt was responsible for determining whether to impose administrative sanctions, including civil money penalties and Federal health care program exclusions, against health care providers and suppliers, and whether to impose civil money penalties on hospitals and physicians in connection with matters referred to CMS under the Emergency Medical Treatment and Labor Act (EMTALA). During his tenure, Matt also litigated exclusion appeals before administrative law judges and appellate panels of the Departmental Appeals Board; advised United States Attorney’s Offices on exclusions appealed to Federal district courts; resolved voluntary self-disclosures submitted by providers and grant and contract recipients; and participated in the negotiations and settlements of FCA matters by the Department of Justice involving the AKS, Stark Law, CMS reimbursement issues, and DEA and FDA compliance issues. In connection with certain FCA resolutions, Matt also negotiated and monitored corporate integrity agreements.

On the Florida junior circuit and in college, Matt was a competitive tennis player. Matt played on the varsity team and was captain his senior year at Rhodes College, earning ITA Division III and SCAC All-Academic Honor Roll awards his sophomore, junior, and senior years. Matt is an active member of the American Health Law Association (AHLA) and currently serves as a Vice Chair of AHLA’s Fraud and Abuse Practice Group.

Photo of Jonian Rafti, CIPP/US, AIGP Jonian Rafti, CIPP/US, AIGP

Jonian Rafti is an associate in the Corporate Department and a member of the Health Care Group. He regularly represents private equity investors, health systems, management companies, physician groups, and lenders in complex transactional and health care regulatory matters.

Since the start of…

Jonian Rafti is an associate in the Corporate Department and a member of the Health Care Group. He regularly represents private equity investors, health systems, management companies, physician groups, and lenders in complex transactional and health care regulatory matters.

Since the start of his career, Jonian’s practice has exclusively focused on representing a variety of clients in the health care sector. He leverages this industry experience to provide practical and market-driven insight to clients undertaking mergers, acquisitions, joint ventures, financings and other business transactions. In addition to his transactional practice, Jonian provides counsel on a range of regulatory requirements governing the practice of medicine and the health care industry, including the Federal Anti-Kickback Statute, Civil Monetary Penalties Law, Health Care Fraud Statute, Physician Self-Referral Law (Stark Law) and their state counterparts. He also advises clients on corporate practice of medicine restrictions, HIPAA and health data privacy, and health care technology matters.

Jonian is a Certified Information Privacy Professional (CIPP/US) and a Certified Artificial Intelligence Governance Professional (AIGP). As a law student, he worked at the Charities Bureau of the NY Attorney General’s Office on governance and regulatory disputes affecting state not-for-profit corporations.

He has previously served as member of the Board of Directors and Vice-Chair of The Andrew Goodman Foundation, and member of the Bard College Center for Civic Engagement’s Young Alumni Advisory Council.

Photo of Anna W. Chan Anna W. Chan

Anna W. Chan is an associate in the Privacy & Cybersecurity Group and member of the Technology Media & Telecommunications group.

Anna’s practice focuses on privacy and data security. She regularly works with clients in the development and/or enhancement of privacy compliance programs…

Anna W. Chan is an associate in the Privacy & Cybersecurity Group and member of the Technology Media & Telecommunications group.

Anna’s practice focuses on privacy and data security. She regularly works with clients in the development and/or enhancement of privacy compliance programs, including drafting online and offline privacy policies, procedures, and related notices. Anna often assists clients with the drafting, review, and negotiation of data processing agreements. She also has experience counseling clients on privacy-related issues in marketing, such as email and telemarketing, as well as privacy-related issues in the ad tech space, including the use of cross-device tracking technologies.

Anna also regularly assists clients with identifying, evaluating, and addressing cybersecurity risks, including advising on proactive cyber incident readiness activities, such as tabletop exercises and incident response plans. She also assists clients with data breach and cybersecurity incident response, including analyzing breach notification laws and preparation of notices to impacted individuals and regulators. Anna also frequently assists clients in conducting diligence and negotiating privacy and data security aspects of corporate transactions

Prior to joining Proskauer, Anna was a privacy counsel at a Fortune 500 pharmaceutical company, where she advised the company on data privacy compliance for the company’s U.S. operations.

Anna is a Certified Information Privacy Professional in the United States (CIPP/US).

Photo of Leslie Shanklin Leslie Shanklin

Leslie Shanklin is a partner in the Corporate Department, co-head of the Privacy & Cybersecurity Group and a member of the of the Technology, Media & Telecommunications group.

Leslie’s practice focuses on privacy and data security, delivering comprehensive expertise around data-related risk and…

Leslie Shanklin is a partner in the Corporate Department, co-head of the Privacy & Cybersecurity Group and a member of the of the Technology, Media & Telecommunications group.

Leslie’s practice focuses on privacy and data security, delivering comprehensive expertise around data-related risk and compliance. Leslie provides pragmatic, strategic and tech-savvy legal counsel to clients seeking to realize the essential value of data to their businesses while effectively managing risk and preserving trust. Leslie draws from deep legal, practical and technical expertise gained from leading global privacy teams and operations for multinational companies.

Leslie’s experience includes advising on the legal and risk aspects of data strategy, building and operationalizing data protection compliance programs in all regions of the world, providing strategic legal counsel around data privacy and security issues in commercial transactions, advising on legal aspects of information security risk, compliance and incident response, and advising on federal, state and international regulatory enforcement actions.

Leslie advises clients with a global lens, helping clients craft nimble, risk-based, forward-looking approaches to data management in the rapidly-evolving US and international privacy and information security legal landscape, including:

  • Federal laws such as Section 5 of the FTC Act and FTC rules and guidance, COPPA, VPPA, TCPA, and HIPAA
  • State laws such as the California Consumer Privacy Act (CCPA including CPRA amendments) and the California Medical Information Act (CMIA), as well as various existing and evolving laws in other US states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Montana (MCDPA) and Washington (My Health My Data Act)
  • International law and guidance such as the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, the UK Data Protection Act, Brazil’s General Data Protection Law (LGPD), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Leslie is a Certified Information Privacy Professional in the United States (CIPP/US) and Europe (CIPP/E) with the International Association of Privacy Professionals (IAPP). She previously served as Co-Chair of the international Hybrid Broadcast Broadband Television (HbbTV) Association Privacy Task Force.

Prior to joining Proskauer, Leslie led global privacy teams for media and entertainment companies for over a decade and most recently served on the Privacy leadership team for Warner Bros. Discovery.