The American Hospital Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued the federal government to bar enforcement of an unlawful, harmful, and counterproductive rule that has upended hospitals’ and health systems’ ability to share healthcare information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.
The lawsuit challenges a “Bulletin” issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) entitled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” This December 2022 “Bulletin” restricts hospitals from using standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages that address health conditions or healthcare providers. For example, under HHS’ new rule, if someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties.
As alleged in the Complaint, HHS’ Medicare.gov, the Department of Defense Military Health System and Defense Health Agency, and various U.S. Veterans Health Administration sites continue to use these third-party technologies despite being covered entities under HIPAA. For example, forensic tools revealed that the Veterans Health Administration uses analytics and advertising tools on a wide range of sites, including online resources that describe the symptoms of post-traumatic stress disorder and point veterans to available treatment options. While dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.
Web tools that are ineffective without access to IP-address information include:
· Analytics software that converts interactions with hospital web pages into critical data, such as the level and concentration of community concern on particular medical questions or the areas of a hospital website on which people have trouble navigating.
· Video technologies that allow hospitals to offer a wide range of information and education materials to the public, including visuals that educate the community about particular health conditions and that allow visitors to virtually tour the facilities where particular procedures are performed.
· Translation and accessibility services that help persons with limited English proficiency and people with disabilities access vital health care information on hospitals’ webpages.
· Digital maps that provide information about where healthcare services are available, including embedded applications that provide public transportation schedules or driving directions to and from a community member’s location.
The suit alleges that HHS’s new rule exceeds its statutory authority under HIPAA. That statute allows hospitals to rely on third-party tools that capture IP address information because that information cannot reasonably be used to identify the individual whose healthcare relates to the webpage visit. By reaching beyond the law to restrict use of these common tools on public-facing webpages, OCR exceeded its statutory authority. In addition to exceeding its statutory authority under HIPAA, the suit alleges that OCR unlawfully issued this Bulletin without providing any reasoning supporting its novel legal assertions, without acknowledging the government’s own use of implicated third-party technologies, and without following required notice-and-comment rulemaking processes.
For additional information about the lawsuit, a copy of the complaint can be found on AHA’s webpage.