The American Hospital Association (AHA) filed a lawsuit against the federal government, alleging that the Department of Health and Human Services (HHS) Office of Civil Rights’ (OCR) rule that restricts the use of third-party technologies “has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages.”
Under the December 2022 HHS OCR bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” hospitals are restricted from using standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing websites that address health conditions or health care providers. As an example, if someone visited a hospital website on behalf of an elderly family member or neighbor to better understand Alzheimer’s disease, a hospital’s use of a third-party technology to capture that individual’s IP address would expose the hospital to federal enforcement actions and significant civil penalties.
AHA – along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System – argue that the federal government uses those web technologies on their own websites, including Medicare.gov, Tricare.mil, Health.mil, and Veterans Health Administration websites – and that other entities should not be prohibited from doing so. In a press release, AHA noted that “while dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.”
AHA further argues that by prohibiting covered HIPAA entities from being able to use these technologies, certain web tools will be rendered useless, which will ultimately harm patients. Some of the tools that need the prohibited technologies to serve patients include: analytics software that can help hospitals use interactions with webpages to understand certain data, such as the level of community concern about a particular medical question or the areas of the website that people have difficulty navigating; video technologies, including visuals that educate the community and patients about certain health conditions or that allow visitors to engage in a virtual tour of the facility where procedures are performed; translation and accessibility services, that can help those with limited English proficiency and patients with disabilities access to important health care information; and digital maps that can provide information about where certain health services are available, including applications that would provide public transportation schedules or driving directions.
In the complaint, AHA states its belief that the new rule exceeds the authority granted to HHS under the HIPAA statute and that the HIPAA statute does allow hospitals to rely on third-party tools to capture IP address information as that information cannot reasonably be used to identify the patients whose health care relates to the webpage visit. The lawsuit further states that HHS and the Office of Civil Rights unlawfully issued the Bulleting without providing any support for its assertions and did not acknowledge the government’s own use of third-party technologies, nor did it follow the required notice-and-comment rulemaking process.
The Complaint seeks a set aside of the Bulletin insofar as it relates to the above prohibitions and permanent injunctive relief enjoining OCR from enforcing the rule in the Bulletin against the complainant Hospitals and the Associations’ other members.