On November 2, 2023, the American Hospital Affiliation and Texas Hospital Affiliation, together with the Texas Well being Sources and United Regional Well being Care System, filed go well with towards the Secretary of the Division of Well being and Human Companies (“HHS”) and the Director of the HHS Workplace for Civil Rights (“OCR”) relating to OCR’s steerage on the usage of on-line monitoring applied sciences by HIPAA entities.[i] This motion and its outcomes will affect how healthcare entities should shield and will use sure data collected on their digital websites.
Lawsuit Particulars
As we lined in a earlier weblog put up, OCR launched steerage in December 2022 on the usage of monitoring applied sciences by HIPAA-regulated entities (the “Steerage”).[ii] The lawsuit challenges the portion of the Steerage that considers the usage of monitoring applied sciences on healthcare suppliers’ unauthenticated webpages to be topic to HIPAA. This consists of, for instance, linking an IP handle with viewing particular well being circumstances or healthcare suppliers (the “Proscribed Mixture”). The grievance particularly alleges that the Steerage, as utilized to unauthenticated public webpages: (1) exceeds HHS’s authority beneath HIPAA and the First Modification; and (2) fails to satisfy rulemaking necessities beneath the Administrative Process Act (“APA”). The grievance additionally factors out that third-party trackers will be discovered on the federal authorities’s personal lined entity company webpages.
The grievance states there’s a lack of affordable foundation to find out whether or not the Proscribed Mixture sufficiently identifies a person who visits a webpage for well being, care, or cost functions. For instance, a person could go to a medical situation webpage, however such a go to is probably not in reference to the person’s healthcare or sought companies. By concluding the Proscribed Mixture constitutes individually identifiable well being data topic to HIPAA, plaintiffs allege OCR exceeded its authority. The grievance additionally alleges the Steerage prohibits healthcare suppliers from disclosing details about the utilization of a public webpage on health-related subjects in violation of the First Modification.
With respect to the APA, the grievance alleges: (1) OCR’s reasoning used to find out the Proscribed Mixture is individually identifiable well being data is bigoted and capricious; and (2) the Steerage is procedurally faulty as a result of it was promulgated and not using a notice-and-comment interval and with out consulting hospitals and well being programs.
Key Takeaways
Notably, the grievance doesn’t take situation with the Steerage with respect to monitoring applied sciences on authenticated websites. HIPAA-regulated entities ought to fastidiously consider the trackers current on such websites and decide the suitable plan of action. This may occasionally embody eradicating the trackers or getting into right into a enterprise affiliate settlement with the monitoring entity.
Moreover, class motion lawsuits associated to the usage of trackers by healthcare suppliers proceed to pose a threat, whatever the end result of this lawsuit. Though sure HIPAA dangers could also be mitigated because of this lawsuit, when utilizing monitoring applied sciences, entities, particularly healthcare entities, ought to proceed to evaluate and monitor the data being tracked and the strategies of monitoring to make sure greatest practices, client safety legal guidelines and different privateness legal guidelines are met.
That is an evolving space of regulation, and Sheppard Mullin will proceed to intently monitor developments on this space.[iii] Entities with questions or in search of counsel can contact any member of our Healthcare Group or Privateness and Cybersecurity Group for help.
FOOTNOTES
[i] American Hospital Affiliation et al v. Melanie Fontes Rainer et al, No. 4:23-cv-01110-P (N.D. Tex. 2023).
[ii] Steerage out there at: https://www.hhs.gov/hipaa/for-professionals/privateness/steerage/hipaa-online-tracking/index.html.
[iii] For added data relating to notable FTC developments on this space, please see: https://www.eyeonprivacy.com/2023/07/regulators-send-warning-letter-to-hospitals-and-telehealth-providers-about-tracking-technology-use/.
