Hospitals push Congress to override HHS' crackdown on 3rd-party web trackers

The hospital lobby is calling on lawmakers to support their controversial use of third-party web tracking technologies that patients and the Department of Health and Human Services (HHS) view as a privacy breach.

Web traffic monitoring tools such as the Meta Pixel and Google Analytics are a mainstay on thousands of hospital websites, but, since a June 2022 investigation from The Markup, have become the focus of sometimes costly class-action lawsuits.

In exchange for traffic monitoring metrics and insights for hospitals, the technologies gather and send identifiable information about users to outside parties, often without their knowledge. A recent study suggests that more than nine in 10 hospitals’ homepages have at least one third-party cookie.

In December 2022, HHS’ Office for Civil Rights (OCR) issued guidance to hospitals warning that the services are a likely Health Insurance Portability and Accountability Act (HIPAA) violation.

Since then, OCR and the Federal Trade Commission have sent warning letters to more than a hundred hospital systems and telehealth providers that have integrated the tools into their websites or apps, which were made public in September (PDF).

Responding Thursday to a Senate Committee on Health, Education, Labor and Pensions (HELP) request for information regarding health data privacy, the American Hospital Association (AHA) took the opportunity to paint the 2022 OCR guidance as “simply bad public policy.”

“Not only does this OCR rule violate HIPAA and its implementing regulations, but it inflicts meaningful harm on patients and public health,” AHA Executive Vice President Stacey Hughes wrote to HELP Ranking Member Bill Cassidy, M.D., R-Louisiana. “Congress should urge OCR to withdraw the rule immediately.”

From a legal perspective, AHA took issue with OCR’s “misguided view” that a technology’s connection of an individual’s IP address and a public webpage addressing specific health conditions or care providers meets the bar for HIPAA’s protections.

That stance extends the protections to users who may not actually be seeking care, users searching for services for another, users seeking general health information or those conducting academic research on a hospital’s website—all of which AHA said upends “the balance that HIPAA strikes” between patients’ privacy protections and allowing for the use of information.

“In fact, courts have already concluded that the interpretation of individually identifiable health information offered by HHS in its guidance ‘goes well beyond the meaning of what the statute can bear,’” Hughes wrote in reference to portions of court decisions in recent HIPAA lawsuits related to the technologies.

As written, OCR’s rule limits web traffic analytics tools that “allow hospitals to more effectively allocate resources and help community members more easily find the healthcare information that they are seeking,” the association wrote. It would also restrict other third-party tools related to embedded videos, which are used to inform the public, and map/location technologies which can offer directions to care services, AHA added.

Rather than bring the restrictions down on hospitals, AHA advised lawmakers to take a closer look at new privacy restrictions for vendors and other hospital tech partners that aren’t already covered by HIPAA—“especially those third-party entities that decline to sign business associate agreements to ensure patient privacy,” Hughes wrote.

Beyond the data tracker policy, AHA’s letter reiterated a request that Congress bolster HIPAA to override state-level privacy requirements that are “more stringent” than federal protections.

Though this would bring an effective net decline in the nation’s health data protections, the federal law “is more than sufficient to protect patient privacy,” AHA said. Maintaining a patchwork of state requirements, meanwhile, is costly to providers and presents a barrier to the electronic data sharing goals the industry is trying to achieve, the group said.

“Varying state laws only add costs and create complications for hospitals and health systems,” Hughes wrote. “As such, the AHA reiterates its long-standing recommendation that Congress strengthen HIPAA preemption.”