On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

In November 2023, the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (collectively, the “Hospitals”) filed suit in the District Court for the Northern District of Texas asking the court to declare the requirement relating to the “Proscribed Combination” unlawful, to vacate it, and to permanently enjoin its enforcement because it was “flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy.” After hearing cross-motions for summary judgment, on June 20, 2024, the District Court granted the Hospitals’ request for declaratory judgment and declared that “the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.” Specifically, the District Court held that the guidance “improperly creat[ed] substantive legal obligations for covered entities,” and that the “the Proscribed Combination facially violate[d] HIPAA’s unambiguous definition of IIHI.” While the District Court vacated the Proscribed Combination portion of the guidance, the District Court also found that permanent injunction was not appropriate because the Hospitals failed to demonstrate that they have suffered an “irreparable injury.”

OCR initially appealed the District Court’s order to the Fifth Circuit; however, on August 29, 2024, OCR withdrew its appeal. As of the date of this blog’s posting, the guidance includes the following disclaimer:

On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. HHS is evaluating its next steps in light of that order.

Despite the District Court’s ruling, organizations should continue to review their use of online tracking technologies to assess compliance with HIPAA and various state laws.