HHS concedes defeat in litigation over providers’ use of tracking technologies on websites

The hospital lobby cemented its victory in litigation about online tracking tools after HHS canceled its planned appeal.

In June, the American Hospital Association (AHA) and co-plaintiffs won a decision in a Texas federal court about 2022 guidance (revised and somewhat softened in 2024) instructing hospitals and other HIPAA-covered entities to avoid using online tracking technology such as cookies and pixels in certain scenarios. If such technology was deployed, the provider should get visitors’ authorization or the company behind the technology (e.g., Google, Meta) should be bound by a HIPAA business-associate agreement, according to the guidance issued by the HHS Office of Civil Rights (OCR).

The concern that led to the guidance was about whether third-party tracking tools can link an individual’s IP address with a visit to an unauthenticated webpage that offers information on specific medical conditions or specific providers, thereby violating HIPAA privacy rules regarding protected health information (PHI). Unauthenticated pages are those that do not require a login or other form of user verification.

HHS on Aug. 19 announced its intent to appeal the district court’s decision to the Fifth Circuit, but on Aug. 29, the department filed to withdraw the appeal. The filing did not mention a reason.

With the relevant portion of the guidance vacated and no appeal pending, “Hospitals can safely share reliable, accurate healthcare information with the communities they serve without the fear of federal civil and criminal penalties,” Chad Golder, AHA general counsel, said in a written statement.

Other plaintiffs in the case were the Texas Hospital Association and Texas Health Resources, a 24-hospital system in the Dallas area.

Why the guidance appeared to overreach

In this year’s revision to the guidance, OCR sought to clarify that providers do not commit a HIPAA violation simply by having a tracking tool on an unauthenticated page that includes health information.

“The mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing healthcare providers is not a sufficient combination of information to constitute IIHI [individually identifiable health information] if the visit to the webpage is not related to an individual’s past, present or future health, healthcare or payment for healthcare.”

The judge in the AHA’s case, which was filed in November 2023, was not swayed by the changes. He said the guidance still tried to establish an expansive definition of IIHI that HIPAA covered entities should not be expected to interpret.

Metadata from an unauthenticated website should not constitute IIHI, given that there is no way of definitively linking such data to an individual’s health situation, wrote Judge Mark T. Pittman (a Trump appointee) in a June summary judgment in which he vacated the applicable portion of the guidance.

“Without knowing information that’s never received — i.e., the visitor’s subjective motive — the resulting metadata could never identify that individual’s PHI,” the opinion states, adding that “covered entities have long been allowed to disclose PHI that does not identify the particular individual.” (Note: PHI is a subset of IIHI, encompassing information in a patient’s health record, whereas IIHI also includes information such as address, date of birth and Social Security number.)

Compliance questions remain

Not all providers are free and clear, however, because individuals and states have filed a smattering of lawsuits against health systems over the issue. Many of the cases obtained class-action status, including one that was settled in 2023 and cost a large health system more than $12 million.

Going forward, however, “the decision should make such suits significantly less attractive to plaintiffs,” attorneys with Holland & Knight’s HIPAA and healthcare privacy team wrote in an analysis.

Providers nonetheless should be aware of circumstances in which their websites or mobile apps still could violate HIPAA.

The court left large portions of the guidance intact, meaning patient portals that incorporate authenticated-access functionality could be deemed in violation if they use tracking technologies. Other scenarios that may present risk include those where the hospital or other HIPAA covered entity solicits information about why the user is visiting the page.