On August 29, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) withdrew its appeal of the US District Court for the Northern District of Texas’s June 20, 2024, decision in American Hospital Association (AHA), et al. v. Xavier Becerra, et al. The district court held that OCR exceeded its authority in certain respects in a bulletin (the Bulletin) concerning HIPAA’s application to cookies and other online tracking technologies on HIPAA-regulated entities’ unauthenticated webpages (i.e., webpages that are publicly available and do not require users to log in before they are able to access the webpage). In the Bulletin, OCR took the position that HIPAA applies when an online tracking technology merely connects a user’s IP address with a visit to an unauthenticated, public webpage addressing specific health conditions or healthcare providers (the Proscribed Combination). OCR took this position based on its view that the combination of this information constitutes HIPAA protected health information. The district court’s decision invalidated OCR’s guidance that HIPAA applies when an online tracking technology collects the Proscribed Combination from a HIPAA-regulated entity’s website, but the decision left intact the remainder of OCR’s guidance in the Bulletin.
Assuming the US Court of Appeals for the Fifth Circuit grants OCR’s motion withdrawing the appeal – as it almost certainly will – the district court decision will be the final word on the Proscribed Combination unless OCR engages in further rulemaking or issues further guidance on the topic, or until another party litigates the same or similar issues with OCR in a different case. We are unaware of any other such cases pending at this time. Since OCR’s Bulletin webpage still indicates that OCR is evaluating next steps, HIPAA-regulated entities should keep an eye on that webpage for any further developments to OCR’s approach to these issues.
Our On the Subject regarding the Bulletin includes recommended next steps that are generally still applicable. HIPAA-regulated entities also should consider whether to apply the court’s reasoning in the decision beyond the Proscribed Combination when evaluating whether information collected through tracking technologies is PHI.
For more information about the decision, see our On the Subject, “Federal Court Invalidates Key Part of HHS OCR Bulletin Regarding Application of HIPAA to Online Tracking Technologies.”
For more information about the Bulletin, see our On the Subject, “OCR Update on Tracking Technologies Provides Little Relief for HIPAA-Regulated Entities.”