The Pixel Problem Part 3: Less of a Problem After Court Vacates HHS’s Overbroad Action

In Parts 1 and 2 in this series on the Pixel Problem, I review the original and revised guidance from the Department of Health and Human Services (HHS) on the Use of Tracking Technologies by HIPAA Covered Entities and Business Associates.  I noted that HHS’s guidance, even as revised, went too far in determining what constitutes individually identifiable health information when it comes to the use of tracking technologies on websites.  A federal court in Texas recently agreed and vacated part of HHS’s guidance.

The purpose of this post is to update Parts 1 and 2 in this series.  For a full discussion of the content of the original guidance and the revised guidance, see The Pixel Problem: Tracking Technologies and OCR’s Guidance and The Pixel Problem Part 2: Tracking Technologies and OCR’s Revised Guidance.

Who Sued and Why?

The American Hospital Association (“AHA”) and other provider associations sued HHS in November 2023 over its December 2022 guidance regarding the use of tracking technologies on websites (“Original Guidance”).  AHA claimed that HHS exceeded its authority and sought either a permanent injunction preventing HHS from enforcing it or a vacatur of the offending portion of the guidance.

During the lawsuit in March 2024, HHS revised its guidance in an attempt to curb its overreach (“Revised Guidance”). But to no avail because on June 20, 2024, a federal district court in Texas agreed with AHA  that even the Revised Guidance went too far.

What Did the Court Say?

After a lengthy discussion and application of administrative law principles, the court concluded that HHS went well beyond the statutory definition of “individually identifiable health information” (“IIHI”) under HIPAA in the Revised Guidance.  The court’s finding is limited to the portion of the guidance concluding that a visitor’s IP address when visiting an unauthenticated, publicly available webpage regarding specific health conditions or healthcare providers constitutes IIHI and is protected under HIPAA.

In its Revised Guidance, HHS attempted to scale this back by saying the information constituted IIHI only if the visitor’s intent was to view information related to the visitor’s own healthcare.  The court agreed with AHA that this was “a distinction without a difference”[i] because, as I pointed out in Part 2 of this series “[s]ince a covered entity cannot discern the purpose for a visit to the site, it would be compelled to treat all visitors as those seeking future care.”

What is “Individually Identifiable Health Information” and Why does it Matter?

The federal statute creating HIPAA clearly defines IIHI, which is the basis for protected health information (“PHI”) under HIPAA.  Specifically, IIHI is any information, including demographic information collected from an individual that:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.[ii]

The identity of the individual clearly is foundational to the concept of IIHI, not the mere possibility that an individual could be identified.  The court offered this:

Without knowing information that’s never received—i.e., the visitor’s subjective motive—the resulting metadata could never identify that individual’s PHI. Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).[iii]

The court then vacated the offending portion of the Revised Guidance.  HHS recognized the court action at the beginning of the Revised Guidance on its website noting that:

the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” . . . HHS is evaluating its next steps in light of that order.

So, What Now? (Revised Again – 3rd time’s a charm!)

For now, the vacated portion of the Revised Guidance is no longer effective.  The remainder of the guidance remains intact, however.  As a result, regulated entities should assess their sites to determine the types of third-party tracking technologies used and how they function.[iv]  OCR added an “Enforcement Priority” section to the Revised Guidance making clear that tracking technologies enforcement is a priority and that remains.

First, ensure that the patient portal or the log-in pages for the portal contain no third-party tracking technologies which could capture identifying information.  Similarly, ensure that appointment scheduling pages or any pages on which the user provides identifying information do not use tracking technologies.

For those pages using third party tracking technologies, assess the following:

  • What data is shared with the tracking technology vendor, and is sharing such data necessary?
    • Understand the definition of IIHI.
    • If the third-party tracking technology vendor collects no IIHI, then no HIPAA rules apply.
  • If the data is IIHI, is such sharing permitted under HIPAA for treatment, payment or healthcare operations?  Remember, HIPAA requires a written authorization for uses for marketing purposes.
  • If HIPAA permits the disclosure to a third-party vendor as a business associate for treatment, healthcare operations or payment, is there a business associate agreement in place with the vendor?

Where third-party tracking technologies remain in use, ensure that the privacy notice on the website discloses the use of such trackers.  Further, regulated entities must include the use of tracking technologies in their risk analysis, which the HIPAA Security Rule requires, but only to the extent that such trackers use IIHI.

Conclusion

While this likely is not the last we will hear of the Pixel Problem, the court’s vacatur of the most problematic portion of the guidance should bring some relief to covered entities and business associates.

[i]   Am. Hosp. Ass’n v. Becerra, ____ F. Supp. 3d ___, No. 4:23-cv-1110, 2024 U.S. Dist. LEXIS 108847, at *21 (N.D. Tex. June 20, 2024).

[ii]  42 USC § 1320d(6); 45 CFR §160.103.

[iii]  Am. Hosp. Ass’n v. Becerra, 2024 U.S. Dist. LEXIS 108847, at *42-43.

[iv]  The Markup, one of the media outlets that broke the pixel story, offers a free tool to assess the use of trackers on a website.  It is a good starting point.