Court deems OCR’s third-party web tech bulletin unlawful

The US District Court for the Northern District of Texas Fort Worth Division ruled that the HHS Office for Civil Rights’ bulletin prohibiting the use of third-party web technologies on public-facing hospital websites is unlawful.

The decision marks a resolution to a November 2023 lawsuit filed by the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System.

In the initial complaint, the parties suggested that the bulletin signified a “massive overreach by the federal bureaucracy,” and that it “exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.”

The groups took issue with OCR restricting hospitals from using third-party technologies that capture IP addresses on portions of public-facing webpages addressing specific health conditions, as the bulletin appeared to treat IP addresses as protected information under HIPAA.

United States District Judge Mark T. Pittman largely concurred with the AHA’s stance, stating that the OCR bulletin “was promulgated in clear excess of HHS's authority under HIPAA.”

“Having reviewed the briefs and submissions from multiple amici, the Court agrees with the Hospitals that the Bulletins improperly create substantive legal obligations for covered entities,” the decision stated.

During the legal proceedings, OCR argued that the bulletin did not articulate the department’s position “with respect to any concrete circumstances,” characterizing the document as a policy statement rather than a hard rule.

“The Court is unsure how HHS reached that conclusion,” the decision reads. “As the Hospitals rightly note, the Revised Bulletin clearly articulates the Department’s position regarding PHI in certain contexts.”

At the crux of the lawsuit lies the AHA’s claim that HHS overstepped by failing to initiate a formal rulemaking process regarding this issue, and by preventing hospitals from using useful tools.

“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance. But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age,” Pittman wrote.

“Rather, this is a case about power. More precisely, it’s a case about our nation’s limits on executive power.”

The judge granted the AHA’s request for declaratory judgment, deeming the bulletin unlawful, and denied the group’s request for a permanent injunction.

Chad Golder, AHA general counsel, expressed support for the outcome.

“For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text,’ Golder stated. 

“As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”