Source - Privacy and Cybersecurity Client Alert

Court Vacates Key Portion of OCR’s Online Tracking Tool Guidance

On June 20, 2024, a federal court vacated key portions of regulatory guidance on the treatment of information collected by online tracking tools. At issue was the U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) March 2024 bulletin (which is a revision of a December 2022 version covering disclosures of information via online tracking tools. The court invalidated OCR’s position that individually identifiable health information (IIHI), a component of protected health information (PHI), includes the connection of a person’s IP address with their visit to certain webpages.

What do I need to know?

  • Companies are not disclosing PHI by using online tracking tools outside of patient portals.
  • There are still litigation risks for companies deploying online tracking tools, and there could be regulatory risks if OCR wins on appeal (if they appeal).
  • The court’s reasoning demonstrates the challenge plaintiffs in adtech class actions will face when seeking class certification (i.e., the need to establish that every class member shared the same subjective intent when visiting the website).

What happened before the court ruled?

In a December 2022 bulletin, OCR sent shockwaves through the healthcare industry by stating that regulated entities were disclosing PHI by using online tracking tools on certain unauthenticated webpages (pages accessible to the public without logging in). OCR explained that IIHI includes the combination of a visitor’s IP address and website activity on certain pages because those details relate to the person’s health, health care or payment by connecting them to the regulated entity.

Regulated entities were largely caught by surprise and had to grapple with the risk that they could be disclosing PHI by using online tracking tools for advertising, analytics or other purposes. If OCR’s position was correct, then it might require executing business associate agreements or eliminating the use of ubiquitous internet-based tools entirely. As a practical matter, it is difficult, if not impossible, to find vendors that are willing to offer these tools pursuant to a business associate agreement. While hospitals rapidly reassessed their online strategies, the American Hospital Association (AHA) filed a lawsuit challenging the validity of OCR’s bulletin.

In March 2024, while the AHA’s lawsuit was pending, OCR revised its guidance by adding some subjective-intent gloss. OCR’s new position was that the connection of an IP address with website activity is IIHI only when the person’s reason for visiting the website related to their personal health care. The inquiry, in other words, focused on the visitor’s intent—regardless of whether the hospital knew that purpose.

Why did the court vacate some of OCR’s bulletin?

In a June 20, 2024, opinion, the Northern District of Texas granted summary judgment on behalf of the AHA and vacated the portion of OCR’s guidance that classified as IIHI an IP address plus a visit to an unauthenticated website addressing health conditions or healthcare providers.

The court started with the jurisdictional question: was the bulletin a final agency action (the prerequisite for a legal challenge)? The court said yes for a variety of reasons that are beyond the scope of this alert. But the tone in that analysis laid the groundwork for the opinion. The court said that the bulletin “shoehorns a novel category of information into the inelastic definitional contours of ‘IIHI.’” And, in one of many apparent signs of frustrations with OCR (and the administrative state more generally), the court further noted that OCR “gaslit” covered entities about what the bulletin said and did.

On the merits, the court held that OCR lacked authority to make its pronouncement in the bulletin concerning online tracking tools. The court explained that OCR’s determination that IIHI includes the combination of an IP address and website activity on unauthenticated pages is beyond what the statute will bear. Summarizing the statutory definition of IIHI, the court noted such information must (1) relate to a health condition, health care or payment for health care of an individual and (2) identify (or reasonably be used to identify) that individual. The combination of an IP address and website activity do neither.

The key point, as the court identified, is that a hospital does not know why a person visited the webpage. This is fatal to the "relate to a health condition" prong because, “without knowing a particular query relates to a category of information in [the statute], metadata from the [online tracking tools] cannot be IIHI.” Indeed, a visitor could access a webpage for many reasons unrelated to the covered purposes. A mere indication of a covered purpose is insufficient because the statute says “relate” rather than “may relate” or “is indicative of.” Furthermore, the lack of insight into the visitor’s intentions dooms the identity prong because, even if the visitor’s identity was known, the hospital cannot determine whether there is a link between the visitor and a covered purpose. The court explained: “Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).”

The court, after ruling on the merits for AHA, explained that vacatur (rather than a permanent injunction) was the appropriate remedy. Vacatur is as if the relevant portion of OCR’s guidance never existed.

What did the court not vacate?

The court explicitly acknowledged it was not vacating the entire bulletin: the “vacatur is not intended to, and should not be construed as, limiting the legal operability of other guidance in the germane HHS document.” Most notably, the court left in place OCR’s position that the connection of an IP address with activity on authenticated webpages constitutes IIHI.

What happens next in this case?

OCR can appeal. But it faces an uphill battle in the Fifth Circuit, which has shown itself to take a narrow view of agency authority. OCR could also issue a revised guidance, but the court seemingly slammed the door on any notion that an IP address and website activity can be PHI.

What does this mean for pending tracking technology litigation?

Healthcare providers nationwide are embroiled in litigation over the use of third-party analytics and tracking technology on their websites. Despite HIPAA not providing a private right of action, plaintiffs have relied on and heavily cited the OCR bulletin in support of their claims. While the court vacating key aspects of OCR’s bulletin certainly takes the wind out of plaintiffs’ sails, issues may still remain. In cases with state law wiretap claims, for instance, the court’s ruling is helpful for some but not for others. In those states with one-party consent laws, plaintiffs have been relying on the OCR guidance to assert there was a violation of HIPAA, and thus a crime-tort exception applied. That argument should now be rejected. However, the court’s ruling may have less impact on wiretap claims in states with two-party consent laws.

The court’s ruling also bolsters many of the positions healthcare providers have been asserting nationwide: they rely on these tools to serve their communities; any metadata collected is inherently de-identified; and class certification is impossible because each website visitor’s individual intent will vary.

Further, the court’s ruling weakens or eliminates the “intent” aspect of many state claims. It cuts through several state law privacy claims that depend on the sensitive nature of the information being shared with the third party. Plaintiffs can no longer point to the OCR guidance in support of their assertion that website browsing on a health-related public website is inherently private or sensitive information.

But this is not the end of the road. The court’s ruling did not directly address whether IP addresses are ever identifiable. Also, there is the potential that an appeal of this decision will provide the basis for a stay in the hundreds of impacted class actions until the issue is resolved.

Finally, the ruling may do little, if anything, for cases where online tracking tools were used in authenticated portions of the website, such as in a patient portal.

Does this change what I can do on my website?

The court’s ruling provides regulated entities more flexibility. They can deploy online tracking tools in unauthenticated pages without fear, for now, of OCR asserting there was an unauthorized disclosure of PHI. But, given the recent focus from regulators—such as the FTC and state attorneys general—on online disclosures of non-PHI medical data, regulated entities may still want to use caution before deploying online tracking tools. Additionally, regulated entities should still provide clear notice that these tools are in use to mitigate the risks associated with potential wiretap claims.

In sum, companies should consider whether the use of online tracking tools is worth the potential risks of future litigation or regulatory enforcement.