AHA obtains vacatur of HHS guidance document overreading HIPAA's application to online technologies
Client(s) American Hospital Association
On behalf of the American Hospital Association and other hospital associations and hospitals, Jones Day persuaded a district court to invalidate a new rule created in an HHS guidance document, which addressed the application of HIPAA to covered entities' public-facing webpages using online technologies that collect the IP addresses of devices visiting the pages. The court agreed that there was final agency action reviewable under the APA because HHS had adopted a definitive rule with novel legal consequences for regulated parties. And the court further agreed that HHS had misapplied HIPAA's definition of protected health information, so it vacated the rule. The court's decision is final, as HHS declined to appeal.
As originally issued, the guidance document stated, among other things, that an online technology collects protected health information under HIPAA when it connects (1) an individual's IP address with (2) a visit to a covered entity's publicly accessible webpage addressing specific health conditions or healthcare providers—a rule the court described, following Jones Day's lead, as the "Proscribed Combination." HHS reasoned that this information is "indicative" of the page visitor's health status. That reasoning would have prohibited the use of online technologies even for common beneficial purposes that do not necessarily reveal anything about an identifiable visitor's own health. In response to Jones Day's lawsuit, HHS revised the guidance document to limit the Proscribed Combination to instances where the page visitor in fact intended to visit the page for reasons related to his or her own health, but did not require that the page operator actually receive any information revealing the visitor's subjective intent.
The court first held that the guidance document was final agency action. It agreed with Jones Day's showing that the Proscribed Combination was an unprecedented rule that would have a significant impact because it contravened settled practice and was being vigorously enforced by HHS. The court then held that the Proscribed Combination exceeded HIPAA's definition of protected health information. It agreed with Jones Day's argument that metadata collected by online technologies showing merely that an identifiable individual visited a health-related webpage does not "relate to" the individual's own health. The court emphasized that, although it is possible the individual visited the page for reasons related to his or her own health, it is also possible that the individual did so for many other reasons—and regardless of the individual's subjective motive for visiting the page, the covered entity has not "received" that additional information under the Proscribed Combination.
American Hospital Association, et al. v. Becerra, et al., No. 4:23-cv-1110 (N.D. Tex.)