In a narrow but significant ruling in American Hospital Association et al. v. Xavier Becerra, et al., No. 4:23-cv-01110-P, the U.S. District Court for the Northern District of Texas (Hon. Mark T. Pittman) ruled that one element of the latest Guidance by the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) regarding web-tracking technology exceeds HHS’s statutory authority.

The Guidance at issue, OCR’s Original Bulletin on December 1, 2022, as revised mid-lawsuit on March 18, 2024, sought to draw a line, largely with illustrations and examples, between website visitors disclosing information about themselves to a website host for a healthcare-related purpose and website visitors who had other motives or were disclosing little or no actual information about themselves. A key feature of this distinction, as explained by the Court, was OCR’s announcement and implementation of an arguably new “Proscribed Combination” test, whereby HIPAA prohibitions and requirements would be deemed to apply to “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a UPW [unauthenticated public webpage] addressing specific health conditions or healthcare providers.”

On cross-motions for summary judgment, the Court found OCR’s definition of “individually identifiable health information” (“IIHI”) underlying the new Proscribed Combination feature of the Guidance to be an unlawful expansion of agency authority, beyond the scope of HIPAA and in particular beyond the “plain meaning” of IIHI enacted by Congress in HIPAA.

On this basis, the Court vacated the Proscribed Combination element of the Guidance but went out of its way to state that no other elements of the Guidance have been invalidated. The Court denied all other relief sought by either side, including injunctive relief, and entered final judgment on June 20, 2024. Appeals by either side are due within sixty days (i.e., by August 19, 2024).

In recognition of the District Court ruling, HHS has revised the Guidance and has given notice that it “is evaluating its next steps,” as follows:

On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. HHS is evaluating its next steps in light of that order.

Regulated entities and their vendors should note the following:

1. Nothing in the Guidance about authenticated websites has been vacated.
2. The scope of the District Court ruling is extremely limited and does not address situations where more than just an IP address and a visit to a public facing website are at issue. There has been no change to other HIPAA guidance concerning HIPAA-protected health information, including what constitutes protected health information (“PHI”) and the necessary requirements for de-identified (anonymized) information to meet the HIPAA Privacy Rule’s requirements.
3. HHS is free to continue to revise and update its sub-regulatory guidance, as there is no injunction and no requirement for Court approval of further revisions (as long as HHS does not seek to re-introduce the “Proscribed Combination” element of the Guidance).
4. “Chevron deference,” overturned by the U.S. Supreme Court on June 28, 2024, eight days after the District Court ruling, is cited by the Court but played no apparent role in the decision.
5. The challenges of implementing third-party tools on owned or controlled websites remains. This narrow ruling should not allay or diminish continued investment and due diligence concerning protection of identifiable information on such websites.
6. The ruling does not address similar state law requirements, or the requirements of other federal law, such as the Video Privacy Protection Act or wiretapping statutes. State Attorneys General and plaintiff class action lawyers, coupled with further efforts by HHS, the Federal Trade Commission and potentially other state and federal regulatory agencies, will continue to make this a priority area for compliance.