The intersection of healthcare and technology has become increasingly complex in recent years, particularly concerning online tracking technologies. The U.S. Department of Health and Human Services (HHS) issued guidance in December 2022, updated in March 2024, to regulate the use of these technologies under the Health Insurance Portability and Accountability Act (HIPAA). This guidance attempted to address the privacy concerns associated with tracking technologies that collect and analyze user interactions on healthcare providers’ websites and mobile applications. However, this guidance faced significant legal challenges, culminating in a pivotal court decision.
The court’s 2024 decision
On June 20, 2024, the U.S. District Court for the Northern District of Texas ruled that critical portions of the HHS guidance were unlawful and exceeded the agency’s authority under HIPAA. It specifically targeted the guidance’s expanded definition of individually identifiable health information (IIHI), which included data such as IP addresses linked to visits to unauthenticated webpages addressing health conditions or healthcare providers. The court found that this expansion imposed undue compliance burdens on HIPAA-regulated entities and was not supported by HIPAA’s statutory framework.
The ruling vacated the guidance to the extent that it required HIPAA obligations in scenarios where an online technology connected an individual’s IP address with a visit to a public webpage related to health information. This decision effectively nullified the HHS’s attempt to broaden the scope of HIPAA’s privacy protections to include certain online tracking activities.
Implications for healthcare providers
The court’s decision has significant implications for healthcare providers and their use of online tracking technologies. Firstly, it alleviates some of the compliance pressures introduced by the HHS guidance. Healthcare providers no longer need to treat all data collected through tracking technologies as protected health information (PHI) under HIPAA, provided it does not meet the traditional definition of IIHI.
However, this does not mean healthcare providers can disregard privacy concerns altogether. The ruling underscores the importance of understanding the boundaries of HIPAA and ensuring that any data sharing with tracking technology vendors complies with existing regulations. Providers must still be vigilant about unauthorized disclosures of PHI and ensure that any data shared for marketing or analytical purposes is appropriately de-identified or anonymized.
We stay on top of this issue
Given online tracking technologies’ complexities and potential legal ramifications, healthcare providers should consider consulting with legal professionals to navigate this evolving landscape. An experienced healthcare law attorney can offer insight so providers remain compliant with HIPAA while leveraging technology to enhance patient care and operational efficiency.