In December 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of pixels and other website tracking technologies. According to the guidance, these technologies were essentially banned, as they allowed individually identifiable health information to be captured on websites and apps with the code installed, and that information was passed to third parties unauthorized to receive the information such as Google, Meta, and others. The transmitted information could be used to serve targeted ads based on interactions on the apps and websites of hospitals.
The American Hospital Association (AHA), Texas Hospital Association, Texas Health Resources, and United Regional Health Care System have now filed a lawsuit against the federal government over the guidance which seeks confirmation from the court that the information collected by tracking technologies is not individually identifiable health information, and an order from the court preventing OCR from enforcing the guidance.
Tracking technologies such as Meta Pixel and Google Analytics code can capture data based on interactions on websites/apps where the code is installed, and that information can be tied to individuals using identifiers such as IP addresses. If a user visits a website with the code installed and completes a form requesting an appointment or searches the website for information on a medical condition, that information can be transferred to unauthorized third parties. That information may then be provided to advertisers who can serve targeted ads. Say an individual visits a hospital page to find information about Alzheimer’s disease, they could then be served adverts related to care facilities.
One study suggested 99% of U.S. hospitals had tracking code installed on their websites, prompting OCR to issue the guidance. Since the study was published, many lawsuits have been filed against hospitals and health systems over these disclosures. Meta is also facing litigation over the disclosures via its Meta Pixel tool, which the lawsuits allege must have been known to Meta given the extent to which its code was used by healthcare providers in violation of its terms and conditions.
OCR and the Federal Trade Commission (FTC) have launched investigations into the use of tracking technologies by HIPAA-regulated entities (OCR) and non-HIPAA-regulated entities that collect or process health data (FTC). OCR/FTC jointly issued letters to 130 organizations earlier this year warning them that tracking code had been detected on their websites and the privacy risks of these tools. The letters, which included the names of the entities, were later published by OCR and the FTC. The letters stated that both OCR and the FTC were closely watching developments in this area and warned the recipients to review the laws stated in the letters and take steps to ensure full HIPAA compliance, essentially threatening them with civil monetary penalties if they did nothing.
The AHA has been critical of the guidance and has attempted to communicate the views of its members about the repercussions of banning the use of tracking technologies. The AHA responded to a request for information from US Senator Bill Cassidy (R-LA) earlier this year on improving health data privacy and modernizing HIPAA and called for Congress and OCR to withdraw the guidance.
The AHA says that, based on the guidance, HIPAA protections would apply to patients seeking information on hospital websites, but also to individuals who are not patients. Website users may be searching for health information for friends and relatives, looking for general health information such as information about the flu season, and also researchers looking for hospital data on the websites. As such, the information collected cannot reasonably be used to identify an individual whose health care relates to the webpage visit.
The AHA’s attempts to communicate the issues to OCR have failed, hence the filing of the lawsuit. The lawsuit states that OCR has exceeded its statutory authority under HIPAA by extending the definition of individually identifiable information to include identifiers such as IP addresses in combination with health information. Further, while OCR is preventing hospitals and health systems from using the tools, they are still used on the websites of the federal government in violation of OCR’s guidance, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. “We cannot understand why HHS created this ‘rule for thee but not for me,’” said Rick Pollack, AHA President and CEO.
By preventing hospitals from using tracking technologies, which are used by many businesses on public-facing websites, OCR is hampering the ability of hospitals to further their mission of improving the health of people in the communities they serve. Tracking technologies are used to improve the services provided by hospitals, and several web tools used by hospitals are ineffective without IP address information, for example, analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps.
The lawsuit also alleges that prior to issuing the guidance, compliance with which is an enforcement priority for OCR, there was no consultation with hospitals and health systems about their use of these technologies. “Instead, the agency began aggressively threatening regulatory enforcement and serious civil penalties against hospitals and health systems,” explained the AHA. “After attempts to engage with HHS officials to educate them about the impact of their new rule, the AHA determined that it was necessary to file suit on behalf of its members to prevent the agency from unlawfully penalizing hospitals.”