At issue is a 2022 bulletin that prohibits HIPAA-covered entities from using technology that captures the IP address of people visiting public-facing websites.
Healthcare organizations are pushing back against a federal rule restricting hospitals from using tracking technology to collect data from consumers visiting their web portals.
The American Hospital Association (AHA), Texas Hospital Association, Texas Health Resources, and United Regional Health Care System have filed suit against the federal government, charging that the Health and Human Services Department has exceeded its statutory authority in preventing providers from collecting the IP addresses of people visiting public-facing websites.
The lawsuit calls for the elimination of “an unlawful, harmful, and counterproductive rule that has upended hospitals’ and health systems’ ability to share healthcare information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.”
“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information,” AHA President and CEO Rick Pollack said in a press release “In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. We cannot understand why HHS created this ‘rule for thee but not for me.”
The suit targets a bulletin issued in December 2022 by the HHS Office for Civil Rights (OCR) highlighting the use of online tracking technologies by Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates. The bulletin states that regulated entities such as hospitals “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of HIPAA Rules.”
According to the AHA and others supporting the lawsuit, that interpretation of HIPAA rules would prevent hospitals “from using commonplace web technologies to analyze use of their websites and communicate effectively with the populations they serve.”
“Simply put, OCR’s new rule harms the very people it purports to protect,” Pollack said. “The federal government’s repeated threats to enforce this unlawful rule tie hospitals’ hands as trusted messengers of reliable healthcare information.”
The suit alleges that common technologies used by healthcare organizations such as analytics software, video technologies, translation and accessibility services, and digital maps would be rendered ineffective without access to IP-address information.
“That statute allows hospitals to rely on third-party tools that capture IP address information because that information cannot reasonably be used to identify an individual whose healthcare relates to the webpage visit,” the AHA says. “By restricting use of these common tools on public-facing webpages on this basis, OCR violated HIPAA and has acted without legal authority. In addition, the suit alleges that OCR unlawfully issued this Bulletin without providing any reasoning supporting its novel legal assertions, without acknowledging the government’s own use of implicated third-party technologies, and without following required notice-and-comment rulemaking processes.”
Eric Wicklund is the associate content manager and senior editor for Innovation, Technology, Telehealth, Supply Chain and Pharma for HealthLeaders.
Federal officials say data tracking technologies that collect IP addresses violates HIPAA guidelines by exposing protected health information to potential misuse.
The AHA and others argue that these technologies enable providers to “share healthcare information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.”
They further argue that critical tools like analytics software, video technologies, translation or accessibility services, and digital maps would be rendered ineffective.