Special thanks to Taft summer associates Tanner Wilburn and Lizzie Dobbins for their contributions to this post. 

On June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a portion of guidance issued by the Department of Health and Human Services (HHS) regarding the use of online tracking technologies. This decision is beneficial to healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) which use third-party tracking tools on their public-facing websites, but such entities should be cautious to not read the case too broadly.

Background

In December 2022, the HHS Office for Civil Rights (OCR) released a bulletin addressing the use of online tracking technologies by HIPAA-covered entities. This guidance took an expansive view of what constitutes individually identifiable health information (IIHI) under HIPAA, suggesting that even basic analytics data collected from public websites could trigger HIPAA obligations.

HIPAA defines IIHI using a two-pronged test:

• The “relates to” prong: The information must relate to an individual’s past, present, or future physical or mental health condition, the provision of healthcare to the individual, or payment for that healthcare.
• The “identifies” prong: The information must either identify the individual or provide a reasonable basis to believe it could be used to identify the individual.

The OCR bulletin expanded this definition, particularly in the context of unauthenticated webpages—public-facing websites that don’t require users to log in or provide identification to access content.

Industry stakeholders criticized the rule and urged OCR to suspend the guidance on the grounds that the new definition was far too broad. That, in order to comply, regulated entities would have to limit public access to health information on their websites. In response, OCR and the Federal Trade Commission (FTC) sent letters to 130 hospitals warning them of their non-compliance. Finally, the American Hospital Association (AHA) and other healthcare stakeholders challenged this guidance in a lawsuit, arguing that it improperly expanded the definition of IIHI beyond the two-pronged test in HIPAA.

In response to concerns raised by healthcare stakeholders, OCR issued a revised bulletin in March 2024. This updated guidance attempted to clarify OCR’s position while maintaining much of its original stance. Notably, it added an intent element to the analysis of what constitutes IIHI. The revised bulletin stated that the mere connection of an IP address with a visit to a health-related webpage would not automatically constitute IIHI, but this combination would be considered IIHI if the visit to the webpage was related to the individual’s own health, healthcare, or payment for healthcare.

This modification introduced a new layer of complexity, as it implied that covered entities would need to consider not just the objective fact as to whether a website was visited, but also the subjective purpose behind the visit.

The Court’s Decision

The court focused its analysis on what it termed the “Proscribed Combination”—the part of OCR’s rule connecting an individual’s IP address with their visit to an unauthenticated public webpage.

The court found that the OCR had exceeded its statutory authority in promulgating this rule. The court’s reasoning hinged on the two prongs of the definition of IIHI:

• The “relates to” prong: The court held that OCR’s guidance impermissibly expanded the HIPAA definition by requiring covered entities to discern a website visitor’s subjective intent.
• The “identifies” prong: The court determined that the Proscribed Combination fails to meet the statutory requirement that IIHI either identifies an individual or provides a reasonable basis to believe it could be used for identification. The metadata collected through tracking technologies, without more, does not meet this threshold.

The court granted the plaintiffs’ request to vacate the Proscribed Combination. However, the court carefully outlined the scope of its ruling, emphasizing that it applies only to the Proscribed Combination rule and does not affect other parts of the revised bulletin or HHS’s broader authority under HIPAA.

What This Means for Covered Entities

While this decision is good news for HIPAA-regulated entities using tracking technologies on their websites, its scope is limited. The court did not address other aspects of HIPAA compliance or the use of tracking technologies in authenticated environments like patient portals. Moreover, the court did not rule on the procedural or substantive validity of the guidance under the Administrative Procedure Act (APA).

This narrow focus means that healthcare entities must continue to exercise caution and maintain robust privacy practices across all their digital platforms, particularly when deploying tracking technologies. In addition to exercising caution when using website tracking technologies, this decision highlights the value of:

• Reviewing and updating privacy policies and HIPAA Notice of Privacy Practices to ensure they accurately reflect current operations and provide adequate notice to patients.
• Evaluating where consents and authorizations may be needed, even on unauthenticated websites; and
• Reassessing business associate agreements with technology vendors that have access to PHI.

Taft’s Privacy & Data Security team has extensive experience counseling clients on HIPAA, consumer data privacy laws, data minimization strategies, and data governance program development. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.