On November 2, 2023, the American Hospital Affiliation and Texas Hospital Affiliation, along side the Texas Well being Assets and United Regional Well being Care System, filed go well with in opposition to the Secretary of the Division of Well being and Human Companies (“HHS”) and the Director of the HHS Workplace for Civil Rights (“OCR”) relating to OCR’s steering on using on-line monitoring applied sciences by HIPAA entities.[i] This motion and its outcomes will impression how healthcare entities should shield and will use sure info collected on their digital websites.

Lawsuit Particulars

As we lined in a earlier weblog put up, OCR launched steering in December 2022 on using monitoring applied sciences by HIPAA-regulated entities (the “Steering”).[ii] The lawsuit challenges the portion of the Steering that considers using monitoring applied sciences on healthcare suppliers’ unauthenticated webpages to be topic to HIPAA. This consists of, for instance, linking an IP deal with with viewing particular well being circumstances or healthcare suppliers (the “Proscribed Mixture”). The grievance particularly alleges that the Steering, as utilized to unauthenticated public webpages: (1) exceeds HHS’s authority underneath HIPAA and the First Modification; and (2) fails to satisfy rulemaking necessities underneath the Administrative Process Act (“APA”). The grievance additionally factors out that third-party trackers could be discovered on the federal authorities’s personal lined entity company webpages.

The grievance states there’s a lack of cheap foundation to find out whether or not the Proscribed Mixture sufficiently identifies a person who visits a webpage for well being, care, or cost functions. For instance, a person might go to a medical situation webpage, however such a go to is probably not in reference to the person’s healthcare or sought providers. By concluding the Proscribed Mixture constitutes individually identifiable well being info topic to HIPAA, plaintiffs allege OCR exceeded its authority. The grievance additionally alleges the Steering prohibits healthcare suppliers from disclosing details about the utilization of a public webpage on health-related matters in violation of the First Modification.

With respect to the APA, the grievance alleges: (1) OCR’s reasoning used to find out the Proscribed Mixture is individually identifiable well being info is bigoted and capricious; and (2) the Steering is procedurally faulty as a result of it was promulgated with no notice-and-comment interval and with out consulting hospitals and well being methods.

Key Takeaways

Notably, the grievance doesn’t take situation with the Steering with respect to monitoring applied sciences on authenticated websites. HIPAA-regulated entities ought to rigorously consider the trackers current on such websites and decide the suitable plan of action. This may increasingly embrace eradicating the trackers or coming into right into a enterprise affiliate settlement with the monitoring entity.

Moreover, class motion lawsuits associated to using trackers by healthcare suppliers proceed to pose a danger, whatever the consequence of this lawsuit. Though sure HIPAA dangers could also be mitigated because of this lawsuit, when utilizing monitoring applied sciences, entities, particularly healthcare entities, ought to proceed to evaluate and monitor the knowledge being tracked and the strategies of monitoring to make sure greatest practices, shopper safety legal guidelines and different privateness legal guidelines are met.

That is an evolving space of regulation, and Sheppard Mullin will proceed to carefully monitor developments on this space.[iii] Entities with questions or searching for counsel can contact any member of our Healthcare Staff or Privateness and Cybersecurity Staff for help.

FOOTNOTES

[i] American Hospital Affiliation et al v. Melanie Fontes Rainer et al, No. 4:23-cv-01110-P (N.D. Tex. 2023).

[ii] Steering accessible at: https://www.hhs.gov/hipaa/for-professionals/privateness/steering/hipaa-online-tracking/index.html.

[iii] For added info relating to notable FTC developments on this space, please see: https://www.eyeonprivacy.com/2023/07/regulators-send-warning-letter-to-hospitals-and-telehealth-providers-about-tracking-technology-use/.