On November 2, 2023, the American Hospital Affiliation and Texas Hospital Affiliation, along side the Texas Well being Sources and United Regional Well being Care System, filed go well with towards the Secretary of the Division of Well being and Human Providers (“HHS”) and the Director of the HHS Workplace for Civil Rights (“OCR”) concerning OCR’s steerage on the usage of on-line monitoring applied sciences by HIPAA entities.[i] This motion and its outcomes will influence how healthcare entities should shield and should use sure info collected on their digital websites.

Lawsuit Particulars

As we coated in a earlier weblog submit, OCR launched steerage in December 2022 on the usage of monitoring applied sciences by HIPAA-regulated entities (the “Steering”).[ii] The lawsuit challenges the portion of the Steering that considers the usage of monitoring applied sciences on healthcare suppliers’ unauthenticated webpages to be topic to HIPAA. This contains, for instance, linking an IP deal with with viewing particular well being situations or healthcare suppliers (the “Proscribed Mixture”). The grievance particularly alleges that the Steering, as utilized to unauthenticated public webpages: (1) exceeds HHS’s authority beneath HIPAA and the First Modification; and (2) fails to satisfy rulemaking necessities beneath the Administrative Process Act (“APA”). The grievance additionally factors out that third-party trackers will be discovered on the federal authorities’s personal coated entity company webpages.

The grievance states there’s a lack of affordable foundation to find out whether or not the Proscribed Mixture sufficiently identifies a person who visits a webpage for well being, care, or fee functions. For instance, a person might go to a medical situation webpage, however such a go to is probably not in reference to the person’s healthcare or sought providers. By concluding the Proscribed Mixture constitutes individually identifiable well being info topic to HIPAA, plaintiffs allege OCR exceeded its authority. The grievance additionally alleges the Steering prohibits healthcare suppliers from disclosing details about the utilization of a public webpage on health-related subjects in violation of the First Modification.

With respect to the APA, the grievance alleges: (1) OCR’s reasoning used to find out the Proscribed Mixture is individually identifiable well being info is bigoted and capricious; and (2) the Steering is procedurally faulty as a result of it was promulgated with no notice-and-comment interval and with out consulting hospitals and well being methods.

Key Takeaways

Notably, the grievance doesn’t take situation with the Steering with respect to monitoring applied sciences on authenticated websites. HIPAA-regulated entities ought to fastidiously consider the trackers current on such websites and decide the suitable plan of action. This may increasingly embody eradicating the trackers or getting into right into a enterprise affiliate settlement with the monitoring entity.

Moreover, class motion lawsuits associated to the usage of trackers by healthcare suppliers proceed to pose a danger, whatever the end result of this lawsuit. Though sure HIPAA dangers could also be mitigated on account of this lawsuit, when utilizing monitoring applied sciences, entities, particularly healthcare entities, ought to proceed to evaluate and monitor the knowledge being tracked and the strategies of monitoring to make sure finest practices, shopper safety legal guidelines and different privateness legal guidelines are met.

That is an evolving space of legislation, and Sheppard Mullin will proceed to intently monitor developments on this space.[iii] Entities with questions or searching for counsel can contact any member of our Healthcare Crew or Privateness and Cybersecurity Crew for help.

FOOTNOTES

[i] American Hospital Affiliation et al v. Melanie Fontes Rainer et al, No. 4:23-cv-01110-P (N.D. Tex. 2023).

[ii] Steering obtainable at: https://www.hhs.gov/hipaa/for-professionals/privateness/steerage/hipaa-online-tracking/index.html.

[iii] For added info concerning notable FTC developments on this space, please see: https://www.eyeonprivacy.com/2023/07/regulators-send-warning-letter-to-hospitals-and-telehealth-providers-about-tracking-technology-use/.