Dozens of health systems, state groups back AHA lawsuit against HHS' 3rd-party web tracker policy

Updated Jan. 17 at 12:00 p.m.

The American Hospital Association (AHA)'s lawsuit against the Department of Health and Human Services’ (HHS’) third-party web tracker policy has picked up the support of other hospital industry groups and organizations.

Specifically, 17 state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs on Jan. 12 backing up the national lobbying group's plea to strike an "unlawful and uncounseled" December 2022 bulletin addressing tools like the Meta Pixel and Google Analytics.

The groups said the tools are critical to their efforts to provide healthcare services to their communities, and that the practical effect of HHS' bulletin is to "undercut significant efforts [they] and other hospitals have made to maintain robust sources of online health information and counteract medical misinformation."

They also noted that the rule incentivizes litigation against health systems "to the great advantage of certain lawyers, but with no meaningful benefit to the public or even the individuals they represent."

The health systems filing in support of the AHA included Baylor Scott & White Health, BJC Health System, Christus Health, Jefferson Health, Johns Hopkins Health System, Northwestern Memorial HealthCare and the Regents of the University of California.

Hospitals are taking their campaign against the Department of Health and Human Services’ (HHS’) “rule for thee but not for me” crackdown on third-party web trackers to the courts.

In a new federal lawsuit (PDF)—filed Thursday in the Northern District of Texas by the American Hospital Association (AHA), the Texas Hospital Association and two health systems, Texas Health Resources and United Regional Health Care System—the hospital lobby called on the judicial branch to bar enforcement of a December 2022 bulletin released by HHS’ Office for Civil Rights (OCR).

That bulletin addressed tools like the Meta Pixel and Google Analytics that media and researcher investigations have found across nearly all hospital websites and that have since become a focus of class-action lawsuits.

OCR’s bulletin warned that these services and others that link an individual’s email or IP address to web traffic behavior are a likely Health Insurance Portability and Accountability Act (HIPAA) violation should they be present “on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions … or that permits individuals to search for doctors or schedule appointments without entering credentials.” HHS has subsequently confirmed investigations of numerous providers running afoul of the bulletin’s instructions.

“Simply put, OCR’s new rule harms the very people it purports to protect,” Rick Pollack, president and CEO of the AHA, said in a release announcing the lawsuit. “The federal government’s repeated threats to enforce this unlawful rule tie hospitals’ hands as trusted messengers of reliable healthcare information.”

Echoing their arguments from public letters sent to HHS and lawmakers alike, the hospital groups and systems wrote that the bulletin “upended the balance that HIPAA and its regulations strike between privacy and information-sharing.”

The bulletin’s requirement prevents hospitals from gathering and disseminating information among those either actively seeking out care or browsing for health or services information, they wrote. Doing so undermines Congress’ stated goals for HIPAA, per the complaint.

Should the restrictions stand, the hospitals said they would no longer be able to use analytics software that can help pinpoint a community’s information needs, technologies that help hospitals host third-party informational videos on their websites, translation and other accessibility services and digital maps to help users find and navigate to where healthcare services are available.

The plaintiffs also noted that many of the federal government’s own healthcare websites are actively using tools that are being restricted under the bulletin.

The complaint included three such examples of third-party analytics and advertising tools: on Veterans Health Administration webpages addressing specific health conditions like post-traumatic stress disorder, on webpages explaining end-stage renal disease coverage eligibility requirements and on the Department of Defense’s Military Health System webpages discussing mental health resources available to service members.

An example of trackers on the U.S. Department of Veterans Affairs website included in the hospitals' complaint

“These technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including,,, and various Veterans Health Administration sites,” Pollack said. “We cannot understand why HHS created this ‘rule for thee but not for me.’”

The plaintiffs wrote that HHS’ policy has already brought harm to numerous providers via warning letters sent to more than a hundred hospital systems and telehealth providers. The letters were made public in September (PDF), placing “a public bullseye” on those organizations, they wrote.  

Hospitals have also accrued “significant costs” when forced to remove the technologies from their webpages and have been subject to widespread and unfounded putative class-action litigation invoking the bulletin that imposes “substantial litigation costs through meritless claims.”

Should their other legal arguments fail, the plaintiffs also wrote that “at a minimum, the bulletin is procedurally defective because OCR did not undertake notice-and-comment rulemaking.”

OCR’s bulletin is classified on its website as a guidance material, though the hospitals argue that it is effectively a legislative rule “because it manifestly speaks with the force of law to condemn a new category of conduct … under HIPAA.”

The plaintiffs have requested that the court declare the information collected by the tools not to be individually identifiable health information (which is protected under HIPAA) and issue permanent injunctive relief enjoining HHS and OCR from enforcing the notice.

A recent University of Pennsylvania study suggests that more than 9 in 10 hospitals’ homepages have at least one third-party cookie.

In prior letters, the AHA has encouraged policymakers concerned about third-party data tracking to turn their gaze to tech vendors and other hospital partners with services not currently covered by HIPAA.