Federal judge rules against HHS' 3rd-party web tracker policy for hospitals

A federal judge in Texas on Thursday ruled that guidance issued by the Biden administration that prohibits the use of third-party online tracking technologies on hospitals' public-facing web pages was unlawful.

U.S. District Judge Mark Pittman in Fort Worth, Texas sided with the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in his ruling that found the Department of Health and Human Services overstepped its authority with the 2022 guidance.

The Biden administration, through the Department of Health and Human Services' Office for Civil Rights (OCR), issued a bulletin in December 2022 warning that hospitals' use of pixel trackers from companies like Google Analytics or Meta Pixel may come up against federal privacy law if these tools expose patients' protected health information.

In the bulletin, OCR warned providers that using pixel-tracking tools in patient portals could constitute a Health Insurance Portability and Accountability Act (HIPAA) violation. Entities covered by HIPAA can't use these tools if they'll be used to transmit patient data without their knowledge, and they're required to enter into business associate agreements with the vendors of these technologies to ensure HIPAA compliance.

The tech giant's Pixel tool was found on the websites of about a third of the nation's largest hospitals, according to an investigation from The Markup.

HHS OCR's late 2022 policy decision to consider hospitals and other HIPAA-covered entities’ use of these tools as a violation of the privacy law has led to a spate of class-action lawsuits and settlements for provider organizations.

The position has also proven unpopular within the industry. In November 2023, the AHA and others filed a federal lawsuit calling on the courts to bar enforcement of OCR’s policy. It later picked up widespread support from several state hospital associations and health systems.

In March, HHS updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for a protected health information (PHI) disclosure.

That lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority and calls for the portion of OCR’s guidance addressing unauthenticated web pages should be invalidated.

The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in Thursday's ruling.

Judge Pittman ruled in favor of the AHA and other plaintiffs. In the decision, Pittman cites that the rule set forth in the March 18, 2024 HHS Bulletin "was promulgated in clear excess of HHS's authority under HIPAA." 

The judge vacated the guidance.

The plaintiffs—American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System—said they were pleased with the ruling in a joint statement.

“For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text'," AHA General Counsel Chad Golder said in a statement. "As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information."

In the ruling, Pittman wrote that metadata from a user's search of a hospital's public-facing web page does not meet the definition of "individually identifiable health information" protected by HIPAA and HHS went too far in its interpretation.

"To hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them. The Court is disinclined to set that precedent here," Pittman wrote in the court ruling.

The AHA and other plaintiffs said that the 2022 guidance has upended hospitals’ and health systems’ ability to share healthcare information with the communities they serve and analyze their own website traffic to enhance access to care and public health.