AHA rebuts OCR's attempt to revise online tracking rules

The hospital group calls new revisions to HHS’ pixel tracking guidance "regulatory overreach," and says the update is "unlawful and unwise." Meanwhile, Massachusetts is weighing two class action suits that would allege such tracking violates wiretap laws.
By Andrea Fox
10:24 AM

Photo: Andrea Piacquadio from Pexels

The American Hospital Association is taking exception at recently-updated rules from HHS Office for Civil Rights related to the use of online tracking tools by health systems and other HIPAA Covered Entities.

The AHA this month told a federal court that OCR's newest bulletin restricting covered entities and their business associates from using third-party web technologies that capture IP addresses on public webpages are too broad and too restrictive – and could "prevent healthcare providers from communicating vital health information to the communities they serve." 

But in Massachusetts this month, a top court is mulling whether to allow two class action suits to move forward that would rely on the state's 1968 Wiretap Act to allege two hospitals violated patient privacy with their use of pixel tracking tools.

WHY IT MATTERS

This past month, OCR updated its guidance around use of online tracking tools, such as those developed by Google and Meta, by HIPAA-covered entities and business associates – replacing its previous guidance from 2022.

In the revised bulletin, OCR clarified that organizations "may engage a technology vendor to perform such analysis as part of the regulated entity’s health care operations," reiterating that "sharing protected health information with vendors without consent is considered an unauthorized disclosure."

For example, according to the OCR guidance, "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures."

The previous guidance warned that HIPAA-regulated entities that collect and transmit certain individually identifiable health information, including IP addresses, with tools like Google Analytics and Meta Pixel could constitute a HIPAA violation of protected health information.

This past Friday, however, the American Hospital Association told a federal court that the revised bulletin "only confirms that the original bulletin was 'substantively and procedurally unlawful.'" 

"[T]he mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing healthcare providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual’s past, present or future health, healthcare or payment for healthcare," said the AHA.

This is not the first time the hospital group has taken issue with HHS attempts to limit health systems' use of tracking tools. 

In October 2023, AHA sent a letter to the Senate Committee on Health, Education, Labor and Pensions arguing that OCR's rule on the use of online tracking tools is at odds with HIPAA and could cause harm to patients, and suggested that Congress urge the agency to withdraw the rule.

"HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, it strikes the appropriate balance between health information privacy and valuable information-sharing," AHA told the HELP committee.

Then, in November, AHA filed a lawsuit against HHS for restricting healthcare providers from using third-party web technologies that capture IP addresses on portions of their public-facing web pages and other data.

Supporting efforts to bar enforcement that limits the use of pixel-tracking tools, 17 state hospital associations and 30 hospital systems filed friend-of-the-court briefs, AHA said.

"HHS has consistently charged hospitals with better serving these communities, touting the goal of hospitals 'advancing health equity for all, including members of historically underserved and under-resourced communities,'" the state hospital associations said in their joint brief filed with the court in January.

"But in order to serve as effective sources of reliable health information and to reach a broad audience outside of their existing patient base, hospitals must be empowered to use the best tools available to ensure that their websites are providing the right information to the right people, in a way that they can trust and act on," they said.

THE LARGER TREND

But even as the AHA calls the new revisions an "embarrassing saga of regulatory overreach," and seeks to halt federal enforcement of an "unlawful and unwise new rule," state courts are trying to figure out the proper way to hold health systems that use tracking technologies to task when it comes to patient privacy.

Reuters, this month, reported that the Massachusetts Supreme Judicial Court may be open to proposed class action suits related to online tracking – cases that use a novel interpretation of a decades-old wiretapping law.

The separate class action suits, filed by a single plaintiff, allege that two hospitals – Beth Israel Deaconess Medical Center and New England Baptist Hospital – violated the Massachusetts Wiretap Act, which was drafted in 1968, by allowing third parties to harvest data about website users.

According to the Reuters report, Justice Frank Gaziano was open to the idea that an old wiretap law could apply to internet tracking, because the state's courts had already extended its reach to new technologies such as cell phones and text messages in 2013.

"This case is about hospitals that allowed technology companies to eavesdrop on highly sensitive communications between healthcare consumers and their medical providers," said Patrick Vallely, a plaintiffs' attorney at Shapiro Haber & Urmy, in the Reuters story.

Meanwhile, other Massachusetts health systems have already faced their own pixel-tracking cases in recent years, including Mass General Brigham, which settled one class action suit for $18.4 million in 2022.

ON THE RECORD
For its part, the AHA continues its protest against federal rules it says are far too broad.

"The unprecedented rule HHS has adopted is unmoored from statutory text and purpose, as well as practically unworkable and internally inconsistent – unsurprising for a rule hastily reformulated in the crucible of litigation and still critically lacking in public feedback," said the AHA on April 11.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.