Judges Rules HHS Web Tracker Guidance is Unlawful

A federal judge in Texas ruled that Department of Health and Human Services (HHS) guidance on the use of web trackers was unlawful. The guidance originally released in 2022 warned healthcare organizations that using web trackers on websites and apps could result in the acquisition of Protected Health Information (PHI) and HIPAA violations for covered entities. HHS stated that regulated entities cannot use tracking technologies that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.

In March of 2024, HHS released updated guidance for web tracker use stating the collection of IP address data of a user’s device when visiting a health-related website does not qualify as PHI if the website visit is not related to an individual’s past, present, or future health, healthcare, or payment for healthcare.

The Web Tracker Ruling

The ruling stemmed from a lawsuit filed by the American Hospital Association (AHA), the Texas Hospital Association, United Regional Health Care System, and Texas Health Resources to stop enforcement of the web tracker rules. The plaintiffs argued that HHS:

• Exceeded its authority in promulgating the Bulletins
• Violated the Administrative Procedure Act (APA) when doing so. The APA governs how federal agencies develop and issue regulations.

In his ruling, U.S. District Judge Mark Pittman vacated the HHS guidance. The judge agreed that the department operated out of its bounds when it issued the guidance. He also ruled that metadata from an unauthorized public website search does not constitute Individually Identifiable Health Information (IIHI) that HIPAA protects.

In his conclusion, Judge Pittman wrote, “This case isn’t really about HIPAA, the Proscribed Combination (an individual’s IP address with a visit to a website addressing specific health conditions of healthcare providers), or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power. More precisely, it’s a case about our nation’s limits on executive power… While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements. And even small executive oversteps can compound over time, resulting in larger transgressions down the road.”

In response to the web tracker ruling, AHA General Counsel Chad Golder said, “For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.’ As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”

Impact of the Ruling

Healthcare organizations can restart or continue using web trackers on their unauthenticated websites and apps. The HHS guidance still applies to authenticated web pages (pages requiring a login).

This ruling doesn’t mean the web tracker and HIPAA compliance issue has been put to bed. CompliancePoint will continue to monitor if HHS appeals the decision or if the federal government pursues another avenue to restrict web tracker use.

Technology will continue to advance in ways that could put PHI at risk. Organizations need to be aware of regulations that address new technologies that could create compliance risks.

CompliancePoint has a team dedicated to helping healthcare organizations develop and implement cybersecurity and privacy programs that satisfy all HIPAA requirements. Contact us at connect@compliancepoint.com to learn more about our services.