The ruling in American Hospital Association v. Becerra is good news for HIPAA-regulated entities that utilize third-party online tracking technologies. In short, the U.S. District Court for the Northern District of Texas ordered that by restricting HIPAA-regulated entities’ use of such technologies, the HHS had overstepped its authority. The District Court’s decision marks a victory for health care providers, as it will likely discourage similar litigation brought against HIPAA-regulated entities. However, these entities should still carefully manage their tracking technologies, as uncertainty continues to surround the future of protected health information and its intersection with artificial intelligence.

What Happened in American Hospital Association v. Becerra?

On June 20, 2024, a federal judge in Texas vacated a portion of health privacy guidance issued by the U.S. Department of Health and Human Services (HHS). Specifically, U.S. District Judge Mark Pittman vacated the HHS’s declaration that HIPAA obligations are triggered in: “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.”

Unauthenticated public webpages are webpages that do not require an individual to log in (i.e., these webpages do not require user verification or login credentials) before the individual may access the webpage. The HHS offered the following example, to demonstrate how a visit to an unauthenticated public webpage can result in the disclosure of protected health information: “[I]f an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address . . . or other identifying information showing their visit to that webpage is a disclosure of [protected health information] to the extent that the information is both identifiable and related to the individual’s health or future health care.”

Initially, the HHS issued the now-vacated guidance out of concern for patient privacy, due to the rise in hospitals’ use of third-party online tracking technologies. The agency’s main concern was that third-party online tracking technologies would reveal individually identifiable health information (IIHI), which is protected under HIPAA. In particular, the HHS argued, the technology would connect an individual’s IP address with that same individual’s online search regarding his or her medical condition. The HHS concluded that the individual’s data would be IIHI in this scenario, and it issued the health privacy guidance in response, requiring providers to protect this “novel” category of information.

Ultimately, Judge Pittman disagreed with the HHS and sided with the plaintiffs, the American Hospital Association, who argued that online tracking technology allows HIPAA-regulated entities to serve patients more effectively. In his order, Judge Pittman ruled that the HHS had exceeded its actual authority, both beyond the scope of HIPAA and beyond the “plain meaning” of IIHI. Put more simply, Judge Pittman ruled that the HHS had unlawfully redefined what is considered protected health information under HIPAA: “[T]his is a case about power. More precisely, it’s a case about our nation’s limits on executive power.” And, Judge Pittman felt that the HHS had overstepped its power in issuing this health privacy guidance, at the expense of hospitals and other entities that are required to comply with HIPAA.

What Happens Now?

First, this vacatur is nationwide. However, Judge Pittman’s order is limited only to the specific portion of the guidance regarding third-party online tracking technologies. Therefore, HIPAA-regulated entities should take care to abide by the remainder of the HHS guidance.

Additionally, Judge Pittman did not issue an injunction against the HHS, and the HHS has no requirement to obtain court approval for future revisions of its guidance. So, the agency is free to revise and/or continue to update its guidance as it sees fit (as long as it does so without violating Judge Pittman’s order). Accordingly, HIPAA-regulated entities should continue to check the HHS website for any updates, in order to ensure continued compliance with HHS guidance. The website currently states that HHS is “evaluating its next steps in light of [Judge Pittman’s] order,” and the agency has until August 19, 2024, to appeal the order, if it chooses to do so.

In the meantime, HIPAA rules remain the same, and entities should maintain best practices to comply with HIPAA, in addition to closely monitoring any new guidance issued by the HHS. Though HIPAA no longer applies to the now-vacated portion of the HHS guidance, HIPAA-regulated entities must also ensure that they remain compliant with state laws applicable to such tracking technologies. Entities should carefully investigate what data and areas of their business are subject to HIPAA, as well as which are subject to state privacy laws, in order to ensure proper compliance overall. Moreover, entities should be cognizant of additional litigation that arises regarding either the HHS’s health privacy guidance, or the use of online tracking technologies by hospitals and other HIPAA-regulated entities.

2024 summer associate Rebecca Krasity contributed to this advisory. Rebecca is currently a student at the University of Wisconsin Law School.