U.S. District Court Invalidates HHS Guidance Overreading HIPAA's Application to Online Technologies
On June 20, 2024, a U.S. federal district court held, in a suit brought by Jones Day, that the Department of Health and Human Services ("HHS") had misapplied the Health Insurance Portability and Accountability Act ("HIPAA") in a guidance document that announced a novel rule prohibiting uses of third-party online technologies in certain situations.
The HHS Guidance
HIPAA restricts the use and disclosure of "individually identifiable health information" ("IIHI"), which is defined as health information that is "created or received" by a covered entity, "relates to" an individual's past, present, or future health, health care, or payment for health care, and "identifies" the individual (or provides "a reasonable basis to believe" it can be used to identify the individual).
HHS originally issued guidance in December 2022, titled "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," which adopted a rule that IIHI is collected where, inter alia, an online technology connects (i) an individual's IP address with (ii) a visit to an unauthenticated public webpage (i.e., a webpage that does not require user log-in) addressing specific health conditions or health care providers—a rule the court described, following plaintiffs' lead, as the "Proscribed Combination." On March 18, 2024, HHS issued revised guidance modifying its position to be that the Proscribed Combination is IIHI only if the webpage visitor subjectively intended to visit the page for a reason related to his or her own past, present, or future health condition, health care, or payment for care.
HHS reasoned that the Proscribed Combination constitutes IIHI because it is "indicative" of the website visitor's health status. That reasoning would have prohibited the use of online technologies even for long-standing beneficial purposes that reveal nothing about an identified individual's own health (e.g., location tools expediting travel time in urgent situations and analytics tools for functionality, experience, and efficiency).
The Court's Ruling
In June, the United States District Court for the District of Texas rejected HHS's position, ruling in favor of several hospitals and hospital associations represented by Jones Day. The court held that the Proscribed Combination exceeded the IIHI definition. It reasoned that metadata collected by online technologies showing merely that an identifiable individual visited a health-related webpage is not IIHI because that information alone does not "relate to" the individual's own health. The court emphasized that, although it is possible the individual visited the webpage for reasons related to his or her own health, it is also possible that the individual did so for many other reasons—and regardless of the individual's subjective motive for visiting the website, the covered entity has not "received" that additional information under the Proscribed Combination.
The Aftermath
HHS is "evaluating its next steps[.]" We recommend HIPAA-regulated entities consider:
- Inventorying data collected through third-party online technologies from unauthenticated and authenticated webpages (i.e., webpages requiring user log-in);
- Confirming third-party online technologies utilized do not collect information that both reasonably identifies a specific individual and reveals information actually relating to that individual's past, present, or future health, health care, or payment for health care;
- Developing and updating website and mobile application notices and disclosures to mitigate civil litigation risks related to online technologies; and
- Confirming the existence of business associate agreements with any third parties receiving IIHI/PHI collected via online technologies, especially from authenticated webpages.
