Federal Judge Vacates Portions of OCR Guidance on Online Tracking Technologies

Challenges to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) guidance on the use of online tracking technologies have taken a new turn, resolving some questions and creating new uncertainties for regulated entities trying to navigate HIPAA compliance.

A federal district court in Texas recently vacated certain portions of the OCR guidance on the use of third-party tracking technologies by HIPAA covered entities and business associates (“regulated entities”), stating that the guidance “improperly create[s] substantive legal obligations for covered entities” by redefining protected health information (PHI) to include an IP address and activity on unauthenticated webpages.

The OCR Guidance

The original guidance, issued on December 1, 2022, addressed the use of online tracking technologies and identified scenarios in which PHI could be impermissibly disclosed to online tracking technology providers. With respect to unauthenticated webpages pages (i.e., websites that do not require a login or user verification), the guidance advised that an individual’s IP address combined with a visit to an unauthenticated webpage addressing specific health conditions or providers may constitute PHI and trigger HIPAA obligations.

After the American Hospital Association (AHA) challenged this original guidance in court, HHS issued revised guidance on March 18, 2024. The updated guidance generated even more confusion, particularly with respect to scenarios involving unauthenticated webpages, by adding in a subjective standard that required regulated entities to opine the intent of a website or app user to determine whether information collected by a tracking technology relates to any individual’s past, present, or future health, healthcare, or payment for healthcare, thus constituting PHI. (See our client alert on OCR’s March 2024 update.)

Court Decision

The federal district court found that “the Department’s authority isn’t absolute” and held that HHS exceeded its powers in asserting that an individual’s IP address combined with a visit to an unauthenticated webpage addressing specific health conditions or providers (the “Proscribed Combination”) may constitute PHI in the guidance. The court held that the Proscribed Combination as set forth in the guidance is “unlawful” and that “to hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them.” The court explicitly acknowledged that the “case [is] case about our nation’s limits on executive power” and that “[w]hile the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements. And even small executive oversteps can compound over time, resulting in larger transgressions down the road.”

Notably, the court’s ruling was issued only one week prior to the landmark decision in Loper Bright Enterprises v. Raimondo,[1] which overturned the 1984 Chevron decision granting agencies expansive latitude in interpreting statutes and in developing and implementing complex regulatory programs.  

Below we summarize the main takeaways from the Texas court’s opinion and its impact on regulated entities:

• The court vacated the Guidance as to the Proscribed Combination.
• The federal district court ruled that the Proscribed Combination falls outside the statutory definition of individually identifiable health information (IIHI), a component of PHI. HIPAA defines IIHI as information that (1) relates to an individual’s past, present, or future physical or mental health or condition, their receipt of healthcare, or their payment for healthcare; and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.”[2] The Court held that Proscribed Combination fails both.
• The Proscribed Combination is not PHI because it does not “relate to” an individual’s health.
• The federal court stated that the “subjective motive” inherent in the Proscribed Combination cannot constitute IIHI because a regulated entity cannot know whether “a particular query relates to a category of information in Section 1320d(6).” Even visiting a regulated entity’s public website “is indicative of” or “might relate” an individual’s PHI, and the court reasoned that is not enough based on the plain reading of HIPAA.
• The Proscribed Combination is not PHI because it does not identify the individual.
• The court reasoned that the Proscribed Combination could never fit HIPAA’s definition of IIHI because it is so ambiguously defined: “Without knowing information that’s never received—i.e., the visitor’s subjective motive—the resulting metadata could never identify that individual’s PHI. Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).”

Key Takeaways

• Regulated Entities Should Still Proceed with Caution When Using Online Tracking Technologies
• Regulated entities still need to ensure that the tracking technologies are not deployed on authenticated webpages or those unauthenticated webpages that clearly indicate subjective motive for visiting the page without a business associate agreement. For example, the court noted, “If a covered entity’s [unauthenticated webpage] greets visitors with a dropdown box requesting their subjective motive for visiting the page, that would be one thing. The Department can and should remind covered entities that the Privacy Rule would apply in those circumstances.”
• OCR’s scrutiny of the use of tracking technologies is expected to continue and regulated entities should take heed of the guidance still in effect. Specifically, the guidance reminds regulated entities of the need to establish a business associate agreement with online tracking technology vendors that collect PHI and to ensure compliance with the HIPAA Security Rule when using online tracking technology.
• Non-HIPAA Risks Remain
• Additionally, given recent focus on non-HIPAA consumer health data under the Washington and Nevada state consumer health privacy laws and by the Federal Trade Commission and state Attorneys General, regulated entities should ensure they are regularly assessing their use of online advertising technologies to ensure they aware of the scope of data being collected from their websites.
• Wiretap Litigation Claims Lose a Foothold
• With the guidance now vacated, plaintiffs filing putative class actions in state and federal courts across the country under state and federal wiretap statutes and various state statutory and common law privacy theories can no longer point to the OCR guidance as evidence of a violation of such statutes. Federal judges also won’t be able to rely on the guidance to allow these purported “wiretapping” claims to proceed beyond the motion to dismiss stage. However, the potential for appeal, as discussed below, may provide a basis for a stay in these class actions until the issue is fully resolved.
• Even though regulated entities may be able to argue and prove that no PHI is disclosed when online tracking tools are deployed on unauthenticated webpages, regulated entities should still provide clear and conspicuous notice that the tools are in use through cookie banners or other disclosures to mitigate potential wiretap claims and regularly audit their use of such tools to determine the scope of the data collected.

Looking Ahead

Federal district court decisions are not binding on other federal district courts, and the Texas court decision may be subject to appeal by HHS. However, the Fifth Circuit has historically construed agency action narrowly, making any HHS appeal an uphill battle.

It is not yet clear whether HHS intends to appeal the decision. OCR updated the guidance on June 26, 2024, to state that the court had vacated the guidance with respect to the Proscribed Combination and note that “HHS is evaluating its next steps in light of that order.” While OCR could revise the guidance again, the revision would not be able to define PHI as the combination of IP address and website activity on unauthenticated webpages. HHS may also choose to re-issue the vacated portion in a formal notice and comment rulemaking procedure. Whatever “next steps” OCR does choose to pursue will likely be further complicated by the fall of Chevron deference.

Despite these unknowns, the other portions of the OCR guidance remain in effect—and regulated entities should proceed with caution when using online tracking technologies.

[1] Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244 (2024).

[2] 42 U.S.C. § 1320d(6).