HHS Drops Appeal on Website Tracking, but Some of Rule Still Applies
By Greg Freeman
Health and Human Services (HHS) recently announced that it will not appeal its unfavorable court decision in American Hospital Association v. Becerra, in which the American Hospital Association and other groups sued HHS to bar enforcement of a new rule adopted in guidance by the Office for Civil Rights titled “Use of Online Tracking Technologies by HIPAA-Covered Entities and Business Associates.”
The rule prevented hospitals and health systems from using common third-party web technologies that capture IP addresses on their public-facing web pages, saying the technology violated privacy requirements. A federal district court said the Office for Civil Rights (OCR) bulletin’s new rule was promulgated “in clear excess of HHS’s authority under HIPAA,” and then HHS withdrew its notice of appeal. The ruling did not vacate the entirety of the tracking technology guidance that OCR published, explains Elizabeth F. Hodge, JD, partner with the Akerman law firm in West Palm Beach, FL. It just vacated the portion of the guidance that said an IP address being on a hospital’s unauthenticated web page is PHI [protected health information]. That is not the case anymore.”
However, the guidance with respect to authenticated web pages stands, she says. It is possible that with respect to unauthenticated web pages, the data that tracking technologies on those pages collect could meet the definition of PHI, depending on what data points are collected, she says.
“Hospitals and health systems and other healthcare providers that use tracking technologies still need to comply with those other aspects of the guidance, and so they need to be mindful of and understand how they are using tracking technologies on their public web pages, and what data is being collected,” Hodge says. “Where is that data going, how is it being used? There’s still work that entities need to do to make sure that they are complying with HIPAA with respect to use of those tracking technologies.”
OCR still intends to enforce the other parts of the rule, says Milada Goturi, JD, partner with the Thompson Coburn law firm in Washington, DC.
“If you look at their website where the guidance is posted, it’s very clear that the OCR acknowledged that the court vacated the guidance, but only to the extent that it provides that HIPAA requirements apply when an online technology connects a person’s IP address with a visit to an authenticated public web page that addresses a condition,” she says. “It’s a pretty narrow carve out, and the OCR web page does state that the OCR is evaluating its next steps, given the court order, so at this time, it’s unknown if they will revise the guidance. Would they perhaps address this through a future rulemaking?”
The court decision makes clear that HIPAA obligations are not triggered when a person goes to, for example, a hospital’s web page and looks at a particular condition or a provider and does nothing further, she says.
“That alone doesn’t trigger HIPAA obligations, because there’s no way for a hospital to know whether that person wants to be a doctor, for example, and learn about something, whether it’s a patient, maybe they’re a student,” Goturi says. “There’s no way for the hospital to know that.”
Sources
- Milada Goturi, JD, Partner, Thompson Coburn, Washington, DC. Telephone: (202) 585-6951. Email: [email protected].
- Elizabeth F. Hodge, JD, Partner, Akerman, West Palm Beach, FL. Telephone: (561) 273-5503. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Health and Human Services (HHS) recently announced that it will not appeal its unfavorable court decision in American Hospital Association v. Becerra, in which the American Hospital Association and other groups sued HHS to bar enforcement of a new rule adopted in guidance by the Office for Civil Rights titled “Use of Online Tracking Technologies by HIPAA-Covered Entities and Business Associates.”
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.