Getty Images/iStockphoto

AHA Sues Federal Government Over OCR Tracking Technology Guidance

The AHA’s lawsuit suggests that OCR’s tracking technology bulletin disturbs the balance between privacy and information sharing under HIPAA.

The American Hospital Association (AHA) has sued the federal government over the HHS Office for Civil Rights’ (OCR) stance on tracking technology use in healthcare. Joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, AHA alleged in the lawsuit that OCR’s December 2022 bulletin on the use of tracking technology HIPAA-covered entities “upsets the balance that HIPAA strikes between privacy and information sharing.”

In early October, the the AHA issued a response to a request for information issued by US Senator Bill Cassidy (R-LA) on improving health data privacy and modernizing HIPAA by urging Congress and OCR to withdraw the bulletin.

“In OCR’s misguided view, the same HIPAA protections apply if visitors search for a medical service for a friend or relative; if they are seeking general health information (e.g., information about flu season or symptoms of an unknown illness); or if they are conducting academic research for a study of data on hospitals’ websites,” the AHA wrote at the time.

Now, AHA is taking legal action against HHS after attempts to engage with HHS fell flat.

The bulletin in question, entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” was issued amid increasing reports of data breaches stemming from the use of third-party tracking technology in healthcare.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” OCR stated in the bulletin. 

“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

OCR stated that regardless of whether the tracking tech is present on user-authenticated or unauthenticated web pages, if PHI is involved, HIPAA rules still apply.

However, the AHA alleged that the bulletin exceeds its statutory authority under HIPAA by preventing hospitals from leveraging widely used tools on their public-facing websites that could otherwise help organizations further their mission. For example, video technologies may allow hospitals to educate the public on health conditions, but may be ineffective without IP-address information.

“For example, under HHS’ new rule, if someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties,” the AHA reasoned.

What’s more, the AHA called attention to various federal agencies that are continuing to use third-party tracking technologies despite being covered by HIPAA. HHS’ Medicare.gov, the Department of Defense Military Health System and Defense Health Agency, and a variety of US Veterans Health Administration sites still use these tools, according to the lawsuit.

AHA suggested that the government’s continued use of these tools is at odds with the warnings that it has sent to healthcare organizations across the country. In July 2023, HHS and the Federal Trade Commission (FTC) sent letters to 130 healthcare organizations emphasizing the risks of third-party tracking tech. In September, the FTC and HHS published the letters and the names of their recipients.

“Both agencies are closely watching developments in this area,” the letters stated. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

AHA suggested that “while dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.”

The lawsuit also alleged that OCR unlawfully issued the bulletin in the first place, without consulting with hospitals and health systems about the impact that the rule would have on them and their patients, and without following the required notice-and-comment rulemaking process.

“Instead, the agency began aggressively threatening regulatory enforcement and serious civil penalties against hospitals and health systems,” the AHA stated. “After attempts to engage with HHS officials to educate them about the impact of their new rule, the AHA determined that it was necessary to file suit on behalf of its members to prevent the agency from unlawfully penalizing hospitals.”

Next Steps

Dig Deeper on HIPAA compliance and regulation