A MoFo Privacy Minute Q&A: HHS Withdraws Appeal of Federal Court Decision Regarding Online Tracking Guidance

This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.

Question: HHS voluntarily dismissed its appeal in the online tracking technology lawsuit; where does that leave the litigation and what should my business know?

Answer: In an abrupt turn of events, HHS has abandoned its fight regarding regulated entities’ use of online tracking tools on unauthenticated webpages. But that is unlikely to stop the wave of “wiretap” lawsuits over the same technologies.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on August 19th filed a notice of appeal to the Fifth Circuit of the June 2024 federal district court decision in American Hospital Association (AHA) v. Becerra, which vacated certain portions of the OCR guidance on the use of third-party tracking technologies by HIPAA-covered entities and business associates (“regulated entities”). However, just 10 days later, HHS filed a motion to voluntarily dismiss the appeal.

For now, the withdrawal appears to be a significant victory for regulated entities. However, questions still remain about the impact of the withdrawal on current litigation and investigations. Below we summarize background regarding the American Hospital Association (AHA) v. Becerra ruling and key implications of HHS’s decision not to appeal the ruling.

Key Background: OCR Guidance and Federal Court Decision

In December 2022, OCR issued guidance that an individual’s IP address combined with a visit to an unauthenticated webpage (i.e., websites that do not require a login or user verification) about specific health conditions or providers may constitute protected health information (PHI) and thus trigger HIPAA obligations. After the AHA challenged the guidance in court, OCR revised its guidance in March 2024, confusingly introducing a subjective standard. In its updated guidance, OCR required regulated entities to determine the intent of a website or app user to assess whether information collected by tracking technology constitutes PHI insofar as it relates to that user’s health, healthcare, or payment for healthcare. (See our client alert on OCR’s March 2024 update.)

A Texas federal district court held that HHS exceeded its authority with the guidance. The court vacated the portion of the guidance regarding public pages of regulated entities’ websites, ruling that such information falls outside HIPAA, as it neither relates to an individual’s health nor identifies the individual. (See our client alert on the court decision.)

Key Implications

• Wiretap Litigation
• The withdrawal comes during a tsunami of lawsuits against regulated entities over website tracking tools. In each of these putative class actions, plaintiffs’ theory is that regulated entities violate state and federal wiretap statutes and state statutory and common law privacy laws through the use of website tracking technologies. OCR’s decision to abandon its appeal is unlikely to stop the current wave of litigation. However, it does suggest that plaintiffs may face an uphill battle if they point to the OCR guidance as evidence that the information captured by website tracking tools constitutes PHI. Similarly, although they had been doing so up until now, federal judges may hesitate to cite the guidance in allowing these purported “wiretapping” claims to proceed beyond the motion-to-dismiss stage.
• HHS and FTC Investigations Remain Uncertain
• The withdrawal also leaves regulated entities questioning the status and viability of HHS and Federal Trade Commission (FTC) investigations into regulated entities’ use of the online tracking technologies that relied on the OCR guidance. Whether HHS and FTC will drop such investigations or pivot focus onto only authenticated pages remains uncertain.

In sum, while the withdrawal of the appeal is potentially a sign of shifting tides, regulated entities should continue to proceed with caution when using online tracking technologies. Regulated entities must still consider: (1) providing clear and conspicuous notice of any tools in use on their webpages through cookie banners or other disclosures, (2) minimizing or eliminating the use of tracking technologies on authenticated webpages, and (3) auditing the use of any online tracking technologies to assess the scope of the data collected and mitigate the risk of litigation and regulatory inquiry.