The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

On June 20, 2024, a US district court ruled in favor of the American Hospital Association’s (AHA) lawsuit against the Department of Health and Human Services (HHS) bulletin on using online tracking technologies, declaring it beyond agency authority. The 2022 bulletin sought to inform entities regulated under HIPAA of their obligations concerning the use of tools like analytics platforms on websites or apps. On August 29, the OCR decided not to appeal the court’s decision.

As a result, healthcare organizations may feel inclined to relax their efforts to ensure HIPAA compliance in their marketing stacks or stop seeking HIPAA-compliant alternatives. However, it’s important to note that the ruling, and HHS’s decision not to appeal, do not diminish the actual compliance risks.

Neglecting HIPAA compliance can damage healthcare providers’ reputation and patient trust, in addition to risking costly fines. Many organizations face class action lawsuits even after the court ruling against the HHS bulletin. Healthcare providers continue to violate HIPAA, primarily through tracking pixels installed on their websites that share sensitive patient data with tech giants like Meta or Alphabet. 

In this article, we explain the implications of the ruling in the AHA’s case and how healthcare organizations should use online tracking technologies in ways that let them comply with HIPAA.

The HHS bulletin on the use of tracking technologies

The HHS bulletin was initially issued on December 1, 2022, aiming to address potentially impermissible uses and disclosures of protected health information (PHI) by healthcare providers. According to the bulletin, PHI may be found on many authenticated (password-protected) pages and certain unauthenticated pages and mobile apps, making them subject to HIPAA. For example, the OCR assumed that anyone visiting a covered healthcare provider’s website was, is or will be a provider’s patient.

The AHA lawsuit against HHS and its guidance on tracking technologies

In November 2023, the American Hospital Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued HHS to bar enforcement of a rule adopted in its bulletin on the use of online tracking technologies. 

The AHA challenged the HHS’ interpretation of HIPAA requirements, especially its overly broad conception of PHI. They argued that, contrary to HHS guidance, a person’s IP address combined with a visit to a specific webpage isn’t sufficient to constitute PHI. 

The AHA stated that the HHS bulletin upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their website traffic to enhance access to care and public health. The AHA also argued that essential website tools like analytics platforms will no longer appear on hospital websites. The AHA’s lawsuit was supported by 17 state hospital associations and 30 hospitals and health systems.

After the original bulletin was challenged in court, HHS issued revised guidance on March 18, 2024. The revisions, however, left regulated entities with the seemingly impossible task of distinguishing between what is and what is not a disclosure of PHI subject to HIPAA based on a website visitor’s intent. The AHA called the modifications “cosmetic” and stated that “the modified Bulletin suffers from the same basic substantive and procedural defects as the original one.”

In June 2024, a judge ruled in favor of the AHA, declaring that the OCR had overstepped its authority when issuing the guidance. On August 29, the OCR announced it would not appeal the district court’s decision.

The impact of the court ruling on HIPAA covered entities

The court ruling and HHS decision not to appeal it do not mean that the issue of protecting PHI in the context of analytics tools has been settled once and for all. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. HHS can enforce certain instances of combining HIPAA identifiers with health information – for example, an ad click ID connected with a scheduled doctor appointment shared with an ad platform like Google. 

The HHS is also not the only authority governing HIPAA compliance. The Federal Trade Commission (FTC) has issued orders in several cases relating to healthcare providers. In April 2024, the FTC ordered the telehealth company Cerebral to pay a $7 million fine and limit the use of consumer health data for advertising purposes.

Collecting and sharing PHI still requires special caution

While the court’s verdict in AHA’s lawsuit may serve as a benchmark for later decisions on possible HIPAA violations, the complexity of PHI protection and the diversity of contexts involved dictate particular attention. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. 

What is allowed under HIPAA concerning the use of tracking technologies like analytics platforms continues to be subject to interpretation. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo.

The rise in class action lawsuits against healthcare providers

In recent years, dozens of class action lawsuits have been filed against healthcare providers across the US. Most of these lawsuits concern the providers’ use and sharing of patient data with major ad platforms. 

Two Louisiana health systems – LCMC Health and Willis-Knighton Health – were sued for using the Meta Pixel on their websites, which shared medical data of hundreds of thousands of patients with Facebook and Instagram. Advocate Aurora Health agreed to pay $12.2 million to settle a lawsuit for disclosing the personal health information of more than 2.5 million people to Meta and Google without their consent.

The ruling in the AHA’s case does nothing to protect healthcare companies from these class action lawsuits, especially since they allege violations of state and federal privacy laws, not HIPAA. Many states have laws that protect the same information as HIPAA and provide a private right of action, which HIPAA does not. The class action lawsuits indicate that healthcare providers continuously fail to sufficiently protect patient data from being shared with third parties.

Focusing on patient trust

Consumers have grown more aware of their online privacy and how their personal data is being used, and this trend will only increase. People don’t want to be tracked by ad tech companies, especially when it concerns their health information. But, as we can see, many healthcare providers continue to neglect patient privacy by sharing their sensitive information with third-party vendors. 

Healthcare companies also struggle to adequately inform consumers about the use of third-party tracking technologies on their websites. A recent study of 100 US hospitals found that 96% of hospital websites transmitted user information to third parties, and only 71% had a publicly accessible privacy policy. Of those, only 56.3% disclosed the specific third-party companies receiving user information.

Considering all these aspects, the AHA ruling does not remove healthcare organizations’ responsibilities when collecting and sharing sensitive patient information with tracking technology vendors. They must apply proper safeguards to protect themselves from costly lawsuits and civil penalties. Let’s not forget the root of all this – patient trust – which means there is no room for bare-minimum measures in protecting patient privacy. 

Here is what you can do to ensure your use of analytics stays in line with HIPAA requirements.

How should healthcare organizations comply with HIPAA and HHS guidance

Healthcare providers must carefully assess and monitor the tracking technologies they use, what tools can access PHI, and whether they have business associate agreements (BAAs) in place.

On top of that, they need to monitor any future guidelines issued by HHS/OCR, FTC, and other state privacy developments in this space.

HIPAA-covered entities must sign a business associate agreement (BAA) with a tracking technology vendor that meets the definition of a business associate before passing PHI to them. If you can’t sign a BAA, you must adequately de-identify PHI or restrict its flow to analytics.

Consider the following cases:

• You need BAAs for tools containing user data, such as CRM systems and customer data platforms (CDPs). 
• You might not need a BAA if your analytics tool runs on unauthenticated websites.
• You must sign a BAA if your analytics tool runs on authenticated (password-protected) pages, such as a patient portal.

HIPAA-covered entities must ensure that all disclosures of PHI to tracking technology vendors are permitted by HIPAA. Using any PHI/ePHI for marketing or advertising without a BAA can be a severe violation of HIPAA. Consult your legal department to review your digital infrastructure and determine whether a BAA is necessary. 

The most secure approach for HIPAA-covered entities involves switching to an analytics platform that explicitly supports HIPAA compliance and provides appropriate safeguards for handling sensitive health information.

HIPAA-compliant analytics with Piwik PRO

Piwik PRO is an all-in-one analytics platform providing healthcare organizations with HIPAA compliance and comprehensive analytics features.

We are committed to providing HIPAA covered entities with the most secure marketing platform. We help companies in the healthcare industry meet the stringent requirements of HIPAA and offer our clients informative, valuable, and actionable insights.

We will sign a BAA with you, allowing you to send all types of PHI to your analytics setup. If you prefer, you can also de-identify all PHI before sending it to our platform.

Other HIPAA-related features that are part of our product include:

• Hosting on select HIPAA-compliant Microsoft Azure data centers located in the US.
• ISO 27001 certification.
• HIPAA compliance attested as part of our SOC 2 Type II report.

• Granular data access controls to restrict data access only to authorized personnel. 
• Detailed audit logs to efficiently track data access and changes to the data collection configuration.
• Not sharing ePHI with third parties or reusing it for other purposes.
• Regular privacy and security audits by external, independent bodies to ensure the highest level of security measures.

After signing a BAA, you can safely use our Customer Data Platform (CDP) to deliver trusted and personalized healthcare experiences. CDP empowers you to unify patient data from different sources, remove data silos, and create a secure foundation for driving effective marketing and communications and improving your services. You can activate the data to acquire new clients, better respond to patients’ needs, improve contact center interactions, and much more.