The AHA Litigation

The court’s decision was issued on June 20, 2024, in a case involving the American Hospital Association’s (AHA) challenge to the legality of the guidance, first issued in December 2022 and revised in March 2024.  The guidance drew criticism from industry given its broad scope limiting the use of common website technologies that help organizations analyze the effectiveness of their websites and mobile applications as well as facilitate marketing efforts.  Importantly, OCR had asserted that HIPAA applies to data collected about user activity on unauthenticated pages, even where the only identifier collected is an IP address.  The court rejected OCR’s position out of hand, finding that it “facially violates HIPAA’s unambiguous definition” of IIHI. 

The court explained that HIPAA limits IIHI to (i) information that “‘relate[s] to’” certain information about an individual’s health care; and (ii) either identifies or could reasonably ‘be used to identify’” the individual.  Yet, in the court’s view, OCR’s guidance unlawfully expanded the scope of that definition to capture information showing a user’s visit to an unauthenticated public webpage, as the AHA and others have argued.  Absent information about the individual’s subjective motivation for visiting the website, a user’s mere browsing activity only “‘may relate to’” an individual’s health care and could potentially identify an individual seeking health care.  In practice, few organizations will obtain knowledge necessary to confirm an individual’s motivation for visiting a website.   

Limitations on the Court’s Decision

While OCR’s broad view of IIHI was rejected by the District Court, the decision does not provide a clear go-ahead for HIPAA-regulated entities to adopt tracking technologies.  Notably, the decision has no effect on OCR’s ability to proscribe the use of tracking technologies on user-authenticated webpages, such as patient and plan member portals.  In addition, it is unclear how OCR will respond to the decision, including whether it may appeal or seek to adopt web tracking standards through formal rulemaking. 

While OCR’s position may be curtailed for now, it is important to note that OCR has not been leading the federal government’s enforcement efforts on web tracking technologies.  That title belongs to the FTC.  The FTC has been aggressive in its view that sensitive data cannot be collected through trackers without consent.  See, for example, enforcement actions against GoodRx (charging, among other things, that through its use of tracking technologies, GoodRx engaged in unfair acts or deceptive practices based on the disclosure of health and personal information to third parties and the failure to limit third-party use of health information) and Avast (alleging that Avast unfairly collected consumer browsing information, stored it indefinitely, and sold it without adequate notice and consent and deceived consumers by failing to deliver on privacy promises).  It is unclear whether this decision will have any impact on the FTC’s stance and enforcement efforts.    

Where Does the Decision Leave HIPAA-Regulated Entities?

This decision, while a significant step in the right direction, still leaves some uncertainty.  Covered entities and business associates will still need to comply with the OCR guidance regarding the use of trackers on authenticated webpages, and will need to consider whether their use of trackers on unauthenticated pages collect sensitive data and require express consent per the FTC’s enforcement actions.  HIPAA-regulated entities also will want to monitor next steps by OCR as a result of this case, and whether the ruling has any impact on the FTC’s position or emboldens impacted entities to pushback against FTC enforcement efforts in the web tracking space.  It remains the case that the use of web tracking technologies is drawing significant regulator and litigant attention, and that the boundaries of what uses and data flows are permissible is not yet fully resolved.