DSIR Deeper Dive: Tracking The Crackdown On Tracking/Pixel Technologies

GDRX

Regulatory action and class action lawsuits related to pixels and other website technologies continued to surge in 2023 and 2024, particularly in the healthcare industry. The FTC and HHS OCR doubled down on their previously issued guidance, sending joint letters to specific hospital systems and telehealth providers warning that use of third-party web technologies may result in impermissible disclosures of individuals' PHI and ominously stressing that "[b]oth agencies are closely watching developments in this area." Hospitals went on the offensive against HHS OCR's pixel guidance, and at the same time we saw more class action settlements related to hospital systems' use of web tracking technology. The FTC announced significant settlements with Internet-based healthcare providers and also issued a notice of proposed rulemaking to amend the existing health breach notification rule to focus significantly on entities' (not subject to HIPAA) sharing of website visitor information with third parties. All told, 2023 and 2024 have given 2022 a run for its money as the reigning "year of the pixel."

OCR and the FTC Double Down

As anticipated, regulatory focus on website technologies and health-related information did not let up in 2023, as federal regulators began threatening and engaging in enforcement actions related to third-party web technologies.

AHA Pushes Back

In November 2023, the American Hospital Association (AHA), the Texas Hospital Association, and two healthcare providers, Texas Health Resources and United Regional Health Care System, filed a lawsuit, AHA, et. al v. Becerra, et. al., in Texas federal court seeking to enjoin the government's enforcement of the December 2022 OCR bulletin (the AHA Lawsuit). The AHA Lawsuit argued that the bulletin amounted to a new rule without the required rulemaking, exceeding its statutory and constitutional authority and harming "the very people it purports to protect" along the way. AHA and its co-plaintiffs argued that the bulletin severely restricted hospitals' ability to rely on common third-party technologies used to analyze their websites and communicate reliable, accurate health information to the communities they serve. The result, the plaintiffs alleged, was that sites promoting disinformation (not regulated by HIPAA) would continue to leverage web technologies to ensure significant visibility on the internet, steadily eclipsing the reliable public health messaging originating from covered entities barred from using the same tools.

In January 2024, 30 healthcare entities joined in an amicus brief in support of motion for summary judgment filed by plaintiffs in the AHA Lawsuit. In response, in April 2024, HHS OCR issued a revised bulletin with additional guidance in an attempt to defeat the motion.

In June 2024, the court ruled in favor of the plaintiffs, agreeing that the HHS OCR bulletins' restriction on the use of third-party web technologies that capture IP addresses on portions of providers' public-facing webpages were unlawful rulemaking. The court concluded that "(1) an individual's IP address [combined] with (2) a visit to [an unauthenticated public webpage] addressing specific health conditions or healthcare providers" - the "Proscribed Combination" - is not individually identifiable health information (IIHI) under HIPAA. The court vacated the portions of the bulletin that addressed the use of the Proscribed Combination.

IIHI is defined under HIPAA as information that (1) relates to an individual's past, present or future physical or mental health or condition, their receipt of healthcare, or their payment for healthcare and (2) "identifies the individual" or provides "a reasonable basis to believe that the information can be used to identify the individual." The court explained that the Proscribed Combination fails on both the "relates to" prong and the "identifies" prong of the definition of IIHI. The court reasoned that while a visit to a healthcare provider's public website is "indicative of" or "might relate" to an individual's PHI, this is not enough to "relate to" an individual's health. As a result, the court concluded that "the Proscribed Combination facially exceeds HIPAA's unambiguous text," and thus the bulletin was an unlawful attempt to promulgate a new rule without proper rulemaking, in clear excess of HHS' authority under HIPAA. The court thus granted the plaintiffs' request for vacatur as to the portions of the bulletin related to the Proscribed Combination.

HHS OCR opted not to appeal the court's ruling. Our full coverage on the ruling can be found here.

Stay tuned for part two of this blog post in which we will discuss the overturn of the Chevron deference, the quest for compliant use of third-party technologies, and privacy class actions related to tracking technologies in 2023 and 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Melissa Bilancini BakerHostetler URL: www.bakerlaw.com

© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source Business Briefing