Last week, a federal district court in Texas issued a decision declaring unlawful and vacating a central component of a guidance document (the Bulletin) from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on the use of “online tracking technologies,” such as cookies and pixels on certain webpages. Since its issuance in 2022, the Bulletin had caused healthcare providers to scramble to adjust to the agency’s interpretation that the limited data collected by cookies and similar technologies for advertising and other purposes triggered Health Insurance Portability and Accountability Act (HIPAA) privacy implications. The district court agreed with the plaintiff hospital groups that HHS had exceeded its authority under HIPAA in promulgating an expansive definition of individually identifiable health information (IIHI) as part of the Bulletin. The decision brings a measure of relief not only for hospitals and other covered entities under HIPAA, but also for businesses that facilitate digital advertising for such covered entities.
First issued in December 2022 and later revised in March 2024, the Bulletin adopted the sweeping position that IIHI exists where an online data collection technology connects (1) an individual’s IP address with (2) a visit to a covered entity’s unauthenticated public webpage, if the visitor is seeking information related to his or her own health, receipt of healthcare, or payment for healthcare (collectively called the “Proscribed Combination” in the court’s opinion). As the court explained, the Proscribed Combination effectively imposed new legal obligations on covered entities when they use common website technologies like cookies and pixels. The Bulletin also had the sweeping effect of transforming many adtech services into business associates subject to HIPAA.
The district court held that the Proscribed Combination as set forth in the Bulletin could not be squared with HIPAA’s definition of IIHI. Specifically, the court determined that the Proscribed Combination failed to satisfy either of IIHI’s two statutory conditions. First, the court explained that the Proscribed Combination is not information that “relates to” an individual’s health, receipt of healthcare, or payment for healthcare because covered entities cannot know that visitors are accessing certain webpages for the purpose of seeking information about their own conditions, treatment, or health, as opposed to some other plausible purpose, such as accessing the page for academic research. Second, the court concluded that the Proscribed Combination does not and cannot identify or provide a reasonable basis for identifying health information about a specific individual as required by the IIHI definition. The Proscribed Combination would require covered entities to guess a website visitor’s subjective intent (i.e., that a particular individual is visiting the page for reasons relating to their own health). On these grounds, the court declared unlawful and vacated the elements of the Bulletin related to the Proscribed Combination.
HHS appended an update to the Bulletin this week, acknowledging the district court’s order and stating that the agency “is evaluating its next steps in light of that order.” Please contact Venable’s Privacy and Data Security Group to discuss compliance strategies if your business is affected by these developments.