The Biden Administration has found itself in court in the state of Texas again – but not over the No Surprises Act (NSA) this time! The American Hospital Association (AHA) and the Texas Hospital Association (THA), along with two Texas health systems, filed a lawsuit in the Northern District of Texas asking the court to bar enforcement of a December 2022 U.S. Department of Health and Human Services (HHS) bulletin stating that tracking technology hospitals use on public-facing websites and apps that connects an individual’s IP address or email to web traffic behavior is likely a Health Insurance Portability and Accountability Act (HIPAA) violation.
In the lawsuit, the AHA argues that this bulletin is effectively a legislative rule, because it speaks to conduct that would be banned under HIPAA. It also states that this would be a “gross overreach by the federal bureaucracy” imposed without public input, contrary to the intent of HIPAA in the first place. The group notes that while hospitals and health systems certainly acknowledge and honor HIPAA provisions, sharing information with the public is key to public health and combatting misinformation – a key goal, especially coming out of the COVID-19 epidemic – and that the guidance harms the very people it is supposed to be protecting.
Citing HHS’s own words that “information is essential fuel for the engine of healthcare,” AHA listed the third-party tracking technologies that are key to enhancing hospital websites through gauging functionality, helpfulness, and what adjustments need to be made to publicize information and services. These technologies include analytic tools, which convert website visitors’ interactions on hospital websites into data that can be studied; video technologies that educate the community about health conditions and support virtual tours of facilities; translation tools that help non-English speakers access healthcare information; and map and location technologies that help visitors access healthcare based on their location. All these technologies use a website visitor’s IP address, and therefore potentially run afoul of the HHS bulletin.
So, how prevalent are these technologies that AHA and others found a lawsuit necessary? A recent Health Affairs study found that about 99 percent of the almost 3,800 hospitals studied utilized this type of tracking software.
But despite that prevalence, hospitals and health systems have felt unfairly targeted over the last few months. In July, HHS and the Federal Trade Commission (FTC) issued warning letters to 130 organizations over the use of this technology, and went on to publicly post the names of the organizations for all to see. And the plaintiff groups also point out that the government itself often uses these tracking tools, giving three examples of the Veterans Health Administration (VHA), Medicare.gov, and U.S. Department of Defense (DOD) web pages. They pointed this out, they say, not to force the government to stop using the technology, but to highlight the importance of it. The AHA President said the “rule for thee but not for me” approach of HHS was unexplainable, and has led to class-action litigation invoking the bulletin and significant financial costs for systems that have been forced to remove the technology from their websites to avoid legal action.
With all of that in mind, the lawsuit asks the court to declare that the information collected by all of these tools not be considered data protected under HIPAA, or at a minimum that the bulletin should have been subject to notice and comment. So now we wait to see how the administration fares in this Texas court.