Northern District of Texas Flashes the ‘Blue Lights’ on OCR’s Pixel Guidance

06/27/2024|9 minute read

On June 20, 2024, the Northern District of Texas issued its final order in American Hospital Association, et al. v. Becerra, et al. (AHA), granting the plaintiffs' (the American Hospital Association, two Texas health systems and the Texas Hospital Association) motion for summary judgment. The thorough (and delightfully irreverent) opinion - which aligned with BakerHostetler's analyses (here and here) and found persuasive arguments BakerHostetler advanced on behalf of 30 of our healthcare clients in amici submissions in support of the motion - concluded that:

• "[A]n individual's IP address [combined] with (2) a visit to [unauthenticated public webpages (UPWs)] addressing specific health conditions or healthcare providers (the 'Proscribed Combination')" is not individually identifiable health information (IIHI) under the Health Insurance Portability Accountability Act (HIPAA).
• HHS lacked the authority to promulgate the Proscribed Combination in its tracking technology guidance, published first in December 2022 (Original Guidance) and revised in May 2024 (Revised Guidance) (collectively, the Guidance), because HHS may only enforce the HIPAA Privacy Rule as it pertains to IIHI and the Proscribed Combination is not IIHI.

The court issued declaratory judgment as to these conclusions and vacated the Guidance as it pertains to the Proscribed Combination. As the high-fives and champaign bottle emoji texts between healthcare entities begin to taper, we provide answers to the questions emerging from the compliance milieu about the real impact of this case.

My hospital is not in Texas. Does this even apply to me?

The short answer is yes, at least in part.

The vacatur of the Guidance with respect to the Proscribed Combination is nationwide, and HIPAA's definitions stand on their own. The ruling eliminates HHS' ability to pursue an enforcement action on the narrow basis of the Guidance's provisions on the Proscribed Combination.

While the vacatur is nationwide, the court's decision that the Proscribed Combination is not IIHI is not binding outside the parties to this lawsuit (such as class action lawsuits where no AHA parties are named), but it is persuasive. Whether it binds HHS in its enforcement of the HIPAA Privacy Rule relative to the use of tracking technologies against a defendant covered entity not party to this lawsuit is an open issue. Courts are divided on whether the doctrine of nonmutual defensive issue preclusion - essentially whether a ruling on a specific issue against a party in one case can be asserted defensively against that party by a new party defending in a subsequent case - can be asserted against the federal government.

We further assess the practical impact below.

Can we use pixels now?!

Tell your marketing department to settle down. The ruling is a win, but still a narrow one. The Guidance still stands with respect to the use of tracking technology on authenticated webpages, and other commentary not related to the Proscribed Combination. While the HHS Office for Civil Rights (OCR) cannot claim that noncompliance with the Guidance's stance on the Proscribed Combination is a basis for enforcement, it can try to take the position that tracking technology deployed on UPWs that transmit only IP addresses are sending protected health information (PHI) in violation of HIPAA against other covered entities. As discussed below, private plaintiffs are not barred from filing lawsuits based on the Proscribed Combination. And if tracking technology transmits more than the Proscribed Combination, covered entities must still confirm that it would not violate HIPAA.

In our prior analyses on this issue, we advised covered entities to create a policy and procedure for assessing tracking technology implementations so that a standard, HIPAA-compliant approach is defined and followed consistently across the organization. As part of that, we also recommend a multidisciplinary governance process for the use of these technologies. Those recommendations remain a best practice.

What is the practical impact on pending litigation?

In the context of litigation, it depends on the specific allegations and the law in your jurisdiction. If a plaintiff alleged that a state unfair competition law (UCL) was triggered based solely on a covered entity's noncompliance with the Guidance, that claim would now likely fail. If, however, a plaintiff alleged the UCL was triggered by a violation of HIPAA (based on the presumption that the information transmitted was IIHI), the AHA decision will only be persuasive, as explained in the next paragraph.

If a plaintiff alleged that the Proscribed Combination was IIHI, the transmission of which to a third-party tracking technology provider formed the basis for a cause of action, the impact remains to be seen. Under the doctrine of issue preclusion, the AHA decision only binds the parties to the AHA litigation. The AHA opinion will be, at the very least, persuasive, particularly given the convincing nature of Judge Pittman's analysis itself. That the judge incorporated similar decisions from several sister courts around the country in the opinion will also likely help to increase the weight other courts give to the decision.

What is the practical impact on HIPAA compliance?

In the context of HIPAA compliance, the impact depends on the approach covered entities have historically taken to the Guidance. BakerHostetler has consistently taken the position in prior blogs on this issue that the Proscribed Combination did not comport with the definition of IIHI and PHI under HIPAA. For entities that took this approach, there is no change except that the position has been vindicated.

For entities that embraced the Guidance as controlling - whether in the context of risk analyses and mitigations, HIPAA notification determinations, or responding to OCR investigations - a change in strategy and tone may be in order. Take, for instance, a tracking technology that only transmits IP address, URL, and device-browser information deployed on a covered entity's UPW. If a covered entity removed that tracker under the belief that it violated the Guidance, that decision could be reversed. If a covered entity is in the midst of deciding whether to notify patients based on the Guidance, the outcome may be different than it would have been on June 19.

How does this impact pending OCR and/or state regulatory investigations?

As explained above, HHS (and by extension OCR) is not foreclosed from taking the position that the Proscribed Combination is IIHI. If OCR continues to take that position going forward, the inference is that OCR believes that the AHA decision will be overturned or that it would not be successful in another venue and OCR is willing to take the risk. However, as covered entities well know, OCR can initiate an investigation for any reason, and penalties levied are rarely just for single points of compliance failures. So, to the extent an OCR investigation was initiated based on allegations that the transmission of the Proscribed Combination to tracking technology providers violated HIPAA, OCR may continue the investigation into other areas of HIPAA compliance, even if it drops its focus on the initial concern.

Pending state attorney general investigations are likely to be impacted in the same way as private litigation would be. While the vacatur is limited in scope and the remainder of the decision is nonbinding, entities under investigation will likely argue that regulators will be thwarted in litigation by Judge Pittman's opinion and should, therefore, abandon ship. State regulators will need to decide whether the likelihood of success warrants continued enforcement activity.

What exactly did the court decide was not IIHI, and why?

The plaintiffs challenged HHS' proclamation (via the Guidance) that the following combination - the Proscribed Combination - constituted IIHI: an individual's IP address coupled with a visit by that individual to a UPW addressing specific health conditions or healthcare providers. The court succinctly stated the issue presented:

As a reminder, to be IIHI, information must relate to an individual's past, present or future physical or mental health or condition, receipt of healthcare, and/or payment for the care and identify the individual whom the information "relates to" or could reasonably be used to identify the individual.

In its determination, the court identified the following to support that the Proscribed Combination fell outside the definition of IIHI:

• The Proscribed Combination fails to meet the "relates to" prong of the definition of IIHI because it would merely indicate a condition. The definition of IIHI, however, uses the words "relates to." As the court noted, "Congress could have said 'may relate to.' It could have said 'might relate to.' It could have said 'relates to or is indicative of.' It didn't."
• The Proscribed Combination also fails to meet the identifiability prong of IIHI. The court reasoned that, again, an IP address only creates an inference of identification, and the recipient of the Proscribed Combination couldn't reasonably identify the visitor's identity and their health condition. That is because the visitor's subjective intent is coming to the UPW controls, and that subjective intent is not received and thus renders the identity of the individual connected to the health information unknowable.

The court noted that "the Proscribed Combination hasn't been announced before, isn't standard practice for covered entities, has been rejected by federal courts, and isn't followed by the government." The court highlighted that the record reflects "ubiquitous non-compliance with the Proscribed Combination" not just on the part of hospitals but also on the part of state and federal entities that operate UPWs in the healthcare context. In other words, the statutory text and the lack of adherence in the healthcare industry indicates that this was an expansion of the definition of IIHI that is impermissible rulemaking.

Again, due to differing federal court opinions on nonmutual defensive issue preclusion against the federal government, it is not clear whether HHS is estopped from taking the position that the Proscribed Combination is IIHI with parties other than the plaintiffs in this lawsuit.

What is HHS going to do now?

At the time of publication, HHS has not indicated what it intends to do next. It could abandon the litigation and attempt to engage in required rulemaking to accomplish what the Guidance attempted. It could also appeal the judgment and request a stay of the district court's decision. We believe it is unlikely that the district court would grant a stay, as doing so would be tantamount to allowing OCR to continue enforcing the Proscribed Combination - an idea the court clearly found abhorrent. HHS has 60 days from the decision to file a notice of appeal, and we will be watching closely. If HHS does go the appeal route, we expect a decision from the 5th Circuit would not come for months.

Do we still have to include tracking technology in our HIPAA security risk analyses? Do we still need business associate agreements with tracking technology providers?

It depends! If your tracking technologies transmit PHI (as defined by HIPAA) to third parties, then the answer to both questions is yes. The AHA decision does not mean that covered entities are free to do whatever they want with tracking technology, and that is not what the plaintiffs were advocating.

However, if a covered entity's tracking technology is only collecting the Proscribed Combination, the covered entity may feel emboldened by the AHA decision to take the position that it is not collecting PHI and the Privacy Rule does not apply. As discussed above, even though the Guidance's commentary on the Proscribed Combination has been vacated, it is not clear whether HHS is estopped from pursuing entities on the basis that the Proscribed Combination is IIHI outside of the Guidance itself. We continue to recommend that the tracking technologies be considered as part of a covered entity's security risk analysis, that business associate agreements be put in place where appropriate, and that the covered entity have a multidisciplinary governance process. Covered entities should work with counsel to understand the nuanced risks in this situation.

Should we still do an analysis of our website?

A third-party assessment of covered entity websites is still a very good idea. In our experience, even the most sophisticated covered entities and their marketing departments do not have a clear understanding of all the tracking technology deployed and the information being collected by those technologies. We note as well that, depending on the organization, certain online properties or sections of websites may be subject to state consumer privacy laws (rather than HIPAA) that impose their own notice and opt-out requirements with respect to online tracking technology deployed on the site. Covered entities can only accurately assess risk - and whether their website privacy policies are accurate - based on a full understanding of the environment.

Do we still need a tool like Freshpaint or Piwik?

Maybe! These third-party tools act as middlemen for data being transmitted to tracking tech providers and allow the covered entity to scrub particular data elements (including IP address) from the transmissions that would otherwise automatically be sent. Depending on the types of data a covered entity wants to allow their technology provider to collect, scrubbing an IP address or other data elements from the transmission may be important to stay clear of identifiability.

Did the judge consider the Revised Guidance or just the Original Guidance?

Although HHS argued its case based only on the Revised Guidance, the judge considered both. As summarized in the opinion, while the Original Guidance took the position that IP address + visit to UPW addressing health conditions or providers was IIHI, the Revised Guidance stated "it's IIHI when an online technology connects (1) an individual's IP address with (2) a visit to a UPW with the intent to address the visitor's specific health conditions or healthcare providers." The court pointed out that under the Revised Guidance, which slightly softens the Original Guidance, covered entities would have to employ clairvoyance, as the visitor's intent is unknowable. Therefore, covered entities would have to assume intent, essentially ipso facto requiring compliance with the Original Guidance.

Does this impact the use and content of website privacy policies and banners on our website?

Possibly. The new and forthcoming state consumer privacy laws exempt either PHI specifically or more broadly any personal data processed or collected by or on behalf of a HIPAA covered entity. As discussed above, the AHA decision that the Proscribed Combination is not PHI is binding only on the AHA litigants. If it were binding nationally, hospitals subject to state laws that do not have an entity-level exemption for HIPAA covered entities would need to (1) assess whether unauthenticated pages on their website need to comply with applicable state law requirements and (2) update their existing website privacy policies and online practices accordingly.

The situation does present an interesting internal conflict, however. Even if the AHA decision lacks full legal force, covered entities are generally embracing it as confirmation that the Proscribed Combination is not PHI. But taking that position potentially triggers a host of obligations under laws like Washington's My Health My Data Act, which exempts PHI but not covered entities. On the other hand, if hospitals dismiss the AHA decision as nonbinding and decide to continue to treat the Proscribed Combination as PHI, their use of website tracking technology could be considered a HIPAA violation. To navigate this highly nuanced risk environment, covered entities should work closely with privacy counsel that is well-versed in both HIPAA compliance and state consumer privacy law requirements.

Public link

Please use the above public link if you want to share this noodl on another website.