The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

On June 20, 2024, a US district court ruled in favor of the American Hospital Association’s (AHA) lawsuit against the Department of Health and Human Services (HHS) bulletin on using online tracking technologies, declaring it beyond agency authority. The 2022 bulletin sought to inform entities regulated under HIPAA of their obligations concerning the use of tools like analytics platforms on websites or apps. On August 29, the OCR decided not to appeal the court’s decision.

As a result, healthcare organizations may feel inclined to relax their efforts to ensure HIPAA compliance in their marketing stacks or stop seeking HIPAA-compliant alternatives. However, it’s important to note that the ruling, and HHS’s decision not to appeal, do not diminish the actual compliance risks.

Neglecting HIPAA compliance can damage healthcare providers’ reputations and patient trust, in addition to risking costly fines. Many organizations face class action lawsuits even after the court ruling against the HHS bulletin. Healthcare providers continue to violate HIPAA, primarily through tracking pixels installed on their websites that share sensitive patient data with tech giants like Meta or Alphabet. 

In this article, we explain the implications of the ruling in the AHA’s case and how healthcare organizations should use online tracking technologies in ways that let them comply with HIPAA.

The HHS bulletin on the use of tracking technologies

The HHS bulletin was initially issued on December 1, 2022, aiming to address potentially impermissible uses and disclosures of protected health information (PHI) by healthcare providers. According to the bulletin, PHI may be found on many authenticated (password-protected) pages and certain unauthenticated pages and mobile apps, making them subject to HIPAA. For example, the OCR assumed that anyone visiting a covered healthcare provider’s website was, is or will be a provider’s patient.

The AHA lawsuit against HHS and its guidance on tracking technologies

In November 2023, the American Hospital Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued HHS to bar enforcement of a rule adopted in its bulletin on the use of online tracking technologies. 

The AHA challenged the HHS’ interpretation of HIPAA requirements, especially its overly broad conception of PHI. They argued that, contrary to HHS guidance, a person’s IP address combined with a visit to a specific webpage isn’t sufficient to constitute PHI. 

The AHA stated that the HHS bulletin upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their website traffic to enhance access to care and public health. The AHA also argued that essential website tools like analytics platforms will no longer appear on hospital websites. The AHA’s lawsuit was supported by 17 state hospital associations and 30 hospitals and health systems.

After the original bulletin was challenged in court, HHS issued revised guidance on March 18, 2024. The revisions, however, left regulated entities with the seemingly impossible task of distinguishing between what is and what is not a disclosure of PHI subject to HIPAA based on a website visitor’s intent. The AHA called the modifications “cosmetic” and stated that “the modified Bulletin suffers from the same basic substantive and procedural defects as the original one.”

In June 2024, a judge ruled in favor of the AHA, declaring that the OCR had overstepped its authority when issuing the guidance. The ruling centered on the interpretation that an IP address combined with website visit data from an unauthenticated page does not constitute PHI. On August 29, the OCR announced it would not appeal the district court’s decision.

The impact of the court ruling on HIPAA-covered entities

The court ruling and HHS decision not to appeal it do not mean that the issue of protecting PHI in the context of analytics tools has been settled once and for all. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. HHS can enforce certain instances of combining HIPAA identifiers with health information – for example, an ad click ID connected with a scheduled doctor appointment shared with an ad platform like Google. 

The HHS is not the only authority governing HIPAA compliance. Even if data doesn’t fall under HIPAA, it may still be subject to other privacy regulations. The Federal Trade Commission (FTC) has issued orders in several cases relating to healthcare providers, and it’s not directly tied to HIPAA. A common legal basis for the FTC’s involvement is the FTC Act, which prohibits unfair or deceptive trade practices. In April 2024, the FTC ordered the telehealth company Cerebral to pay a $7 million fine and limit the use of consumer health data for advertising purposes.

Collecting and sharing PHI still requires special caution

While the court’s verdict in AHA’s lawsuit may serve as a benchmark for later decisions on possible HIPAA violations, the complexity of PHI protection and the diversity of contexts involved dictate particular attention. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. 

What is allowed under HIPAA concerning the use of tracking technologies like analytics platforms continues to be subject to interpretation. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo.

The rise in class action lawsuits against healthcare providers

In recent years, dozens of class action lawsuits have been filed against healthcare providers across the US. Most of these lawsuits concern the providers’ use and sharing of patient data with major ad platforms. 

Two Louisiana health systems – LCMC Health and Willis-Knighton Health – were sued for using Meta Pixel on their websites, which shared medical data of hundreds of thousands of patients with Facebook and Instagram. Advocate Aurora Health agreed to pay $12.2 million to settle a lawsuit for disclosing the personal health information of more than 2.5 million people to Meta and Google without their consent.

The ruling in the AHA’s case does nothing to protect healthcare companies from these class action lawsuits, especially since they allege violations of state and federal privacy laws, such as the California Consumer Privacy Act (CCPA) or the Illinois Biometric Information Privacy Act (BIPA), not HIPAA. Many states have laws that protect the same information as HIPAA and provide a private right of action, which HIPAA does not. The class action lawsuits indicate that healthcare providers continuously fail to sufficiently protect patient data from being shared with third parties.

Focusing on patient trust

Consumers have grown more aware of their online privacy and how their personal data is being used, and this trend will only increase. People don’t want to be tracked by ad tech companies, especially when it concerns their health information. But, as we can see, many healthcare providers continue to neglect patient privacy by sharing their sensitive information with third-party vendors. 

Healthcare companies also struggle to adequately inform consumers about the use of third-party tracking technologies on their websites. A recent study of 100 US hospitals found that 96% of hospital websites transmitted user information to third parties, and only 71% had a publicly accessible privacy policy. Of those, only 56.3% disclosed the specific third-party companies receiving user information.

Considering all these aspects, the AHA ruling does not remove healthcare organizations’ responsibilities when collecting and sharing sensitive patient information with tracking technology vendors. They must apply proper safeguards to protect themselves from costly lawsuits and civil penalties. Let’s not forget the root of all this – patient trust – which means there is no room for bare-minimum measures in protecting patient privacy. 

Here is what you can do to ensure your use of analytics stays in line with HIPAA requirements.

How should healthcare organizations comply with HIPAA and HHS guidance

Healthcare providers must carefully assess and monitor the tracking technologies they use, what tools can access PHI, and whether they have business associate agreements (BAAs) in place.

On top of that, they need to monitor any future guidelines issued by HHS/OCR, FTC, and other state privacy developments in this space.

HIPAA-covered entities must sign a business associate agreement (BAA) with a tracking technology vendor that meets the definition of a business associate before passing PHI to them. If you can’t sign a BAA, you must adequately de-identify PHI or restrict its flow to analytics.

HIPAA-covered entities must ensure that all disclosures of PHI to tracking technology vendors are permitted by HIPAA. Using any PHI/ePHI for marketing or advertising without a BAA can be a severe violation of HIPAA.

Consider the following cases:

• You need BAAs for tools containing user data, such as CRM systems and customer data platforms (CDPs). 
• You might not need a BAA if your analytics tool runs on unauthenticated websites.
• You must sign a BAA if your analytics tool runs on authenticated (password-protected) pages, such as a patient portal.

However, these approaches heavily depend on what data you collect on respective pages. If any data, even that collected on unauthenticated pages, could be used to identify an individual and relates to their health, it could still be considered PHI. You must carefully assess all data collected, regardless of whether the page is password protected. Consult your legal department to review your digital infrastructure and determine whether a BAA is necessary. 

While a BAA ensures that the vendor complies with HIPAA, it does not eliminate the need for patient authorization. Covered entities must obtain written authorization from patients before using or disclosing PHI for marketing purposes, as well as for selling it. This includes any campaign that promotes a product or service, especially if it involves payment. However, authorization isn’t required when the activity is related to treatment, payment, or healthcare operations. 

Valid patient authorization under HIPAA must be specific, informed, and given voluntarily, and must include the following:

• The specific purpose for which the PHI will be used, such as analytics, research, or improving patient care.
• The types of PHI that will be collected and used such as IP addresses, search queries, or appointment details.
• Any third parties, such as analytics vendors, that will receive the PHI. 
• An expiration date or event after which the consent is no longer valid.
• How patients can revoke their authorization at any time.
• Signature and date by the patient or their legal representative.

A consent management platform (CMP) can help you automate the process of obtaining, managing, and tracking patient consent.

What if you can’t sign a BAA with the analytics vendor

Without a signed BAA with the vendor, healthcare organizations must de-identify PHI using one of the approved methods:

• Safe Harbor method: Remove all 18 identifiers listed in HIPAA (e.g., names, addresses, dates, Social Security Numbers) and ensure no remaining data could identify an individual.
• Expert Determination: Engage a qualified expert to confirm that the risk of re-identification is “very small” using statistical or scientific methods.

Once de-identified, the data is no longer PHI and can be used for analytics without a BAA.

Freshpaint is an example of a platform that adopts de-identification. It uses techniques such as creating anonymous visitor IDs and irreversible cryptographic hashing to de-identify data. Freshpaint’s key feature involves preventing PHI from being shared with non-HIPAA-compliant tools

However, de-identification is challenging and requires significant resources to do it properly. Despite efforts to de-identify data, there remains a risk that sophisticated technologies could re-identify individuals, especially if the data is combined with other datasets. De-identification requires careful handling to ensure the data remains protected and useful for analysis, which can be difficult to achieve in practice. On top of that, managing de-identified data with a platform like Freshpaint requires coordination between legal, technical, and marketing teams.

Another option for healthcare organizations to mitigate the risk of HIPAA violations is data anonymization. For example, they can use third-party anonymization software to irreversibly mask PHI before transmitting data to analytics vendors. You need a signed BAA with the anonymization vendor, but since the analytics vendor does not receive PHI, you don’t need a BAA with them.

Anonymized data, while offering maximum privacy protection, may not be suitable for all types of analysis or research. Anonymization reduces data accuracy and granularity, strongly limiting its value. Achieving proper anonymization requires advanced techniques and thorough validation.

Companies can also use HIPAA-compliant “limited data sets” (retaining some identifiers like dates) for analytics if a data use agreement is in place. This avoids a BAA but still requires contractual safeguards to prevent re-identification. 

Aggregated data for healthcare operations, such as population health analysis or quality improvement, is permitted under HIPAA if the BAA with the business associate explicitly allows it. Without a BAA, aggregation alone is insufficient unless combined with de-identification. For example, combining de-identified datasets from multiple sources to analyze trends without exposing individual identities. 

The most secure approach for HIPAA-covered entities involves switching to an analytics platform that explicitly supports HIPAA compliance and provides appropriate safeguards for handling sensitive health information.

HIPAA-compliant analytics with Piwik PRO

Piwik PRO offers an all-in-one analytics platform consisting of four integrated modules – Analytics, Tag Manager, Consent Manager, and Customer Data Platform. As a healthcare organization, you can use our comprehensive features to build a powerful, HIPAA-compliant analytics stack that includes data collection, analysis, and activation.

We are committed to providing HIPAA-covered entities with the most secure marketing platform. We help companies in the healthcare industry meet the stringent requirements of HIPAA and offer our clients informative, valuable, and actionable insights.

We will sign a BAA with you, allowing you to send all types of PHI to your analytics setup. If you prefer, you can also de-identify all PHI before sending it to our platform.

Other HIPAA-related features that are part of our product include:

• Hosting on select HIPAA-compliant Microsoft Azure data centers located in the US.
• ISO 27001 certification.
• HIPAA compliance attested as part of our SOC 2 Type II report.

• Granular data access controls to restrict data access only to authorized personnel. 
• Detailed audit logs to efficiently track data access and changes to the data collection configuration.
• Not sharing ePHI with third parties or reusing it for other purposes.
• Regular privacy and security audits by external, independent bodies to ensure the highest level of security measures.

After signing a BAA, you can safely use our Customer Data Platform (CDP) to deliver trusted and personalized healthcare experiences. CDP empowers you to unify patient data from different sources, remove data silos, and create a secure foundation for driving effective marketing and communications and improving your services. You can activate the data to acquire new clients, better respond to patients’ needs, improve contact center interactions, and much more.