The American Hospital Association (AHA), Texas Hospital Association, United Regional Health Care System, and Texas Health Resources have filed a lawsuit against Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’ Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over the December 2022 guidance issued by OCR on website tracking technologies.

OCR issued guidance for HIPAA-regulated entities on the use of third-party tracking technologies on public-facing websites and applications following revelations that these tools were disclosing the individually identifiable information of website visitors to third-party companies such as Meta (Facebook), Google, social media platforms, and other third parties. The information disclosed by these tools, which include Meta Pixel and Google Analytics code, could potentially include health information, depending on the interactions of users on the websites and apps where the code is used.

A study of the websites of the 100 top hospitals by The Markup found one-third had used these tracking tools on their websites without obtaining consent from website visitors. A more comprehensive study of hospitals that was published in Health Affairs, found that 99% of the 3,747 U.S. hospitals studied were using these tools on their websites. Several of the hospitals reported the use of these tools as data breaches, including Advocate Aurora Health, Novant Health, WakeMed Health, and Cerebral, Inc., some of which involved the data of millions of patients. Many lawsuits have since been filed against healthcare providers in response to the use of these tools. Advocate Aurora Health recently settled Pixel-related litigation for $12.225 million.

In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools and then published those letters – which name the organizations involved – in September 2023, signaling both OCR and the FTC are actively enforcing the guidance.  The AHA has publicly criticized OCR for its position on tracking technologies. In the AHA’s response to Senator Bill Cassidy’s request for information on healthcare data privacy and HIPAA, the AHA called for the HHS to drop its new website tracking technology rule, which it claimed harmed hospitals and negatively affected patients.

The AHA has now taken the issue a step further with legal action. The AHA claims that it had no alternative other than to take legal action due to several months of unsuccessful attempts to communicate its concerns to the HHS. The lawsuit was filed in the U.S. District Court for The Northern District of Texas Fort Worth Division and alleges the new rule is unlawful, and claims that the HHS is actively enforcing its new rule against hospitals but the federal government’s own healthcare providers are continuing to use the prohibited tracking technologies on their websites.

Lawsuit Seeks Court Order Preventing OCR from Enforcing Tracking Technology Guidance

The lawsuit alleges the decision to class the metadata collected and transmitted by tracking technologies as individually identifiable health information subject to HIPAA is, “a gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it.” The AHA explains that “the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.” While the lawsuit does not go as far as seeking the rescindment of the guidance, an order is requested from the court that prohibits OCR from enforcing its rule to prevent members from being unlawfully penalized.

The AHA’s position is that website tracking technologies that collect information such as IP addresses are critical to the function of websites and apps, and many web tools are rendered ineffective without that information, including analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps, to name only a few. By prohibiting tracking technologies, these vital website tools will no longer feature on hospital websites, and that ultimately harms the patients that OCR’s rule seeks to protect.

“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites,” said Rick Pollack, AHA President and CEO. “We cannot understand why HHS created this ‘rule for thee but not for me.’”

The post AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies appeared first on HIPAA Journal.