© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Federal District Court Vacates Rule under HHS’s HIPAA Tracking Technologies Guidance

A federal court in Texas recently ruled to vacate the US Department of Health and Human Services’ (HHS) guidance providing a broad interpretation of the term “individually identifiable health information” under the Health Insurance Portability and Accountability Act (HIPAA).

HHS Position

According to the HHS guidance, information collected on freely accessible websites related to medical conditions by a user based on an online identifier (such as an IP address or clickID) is considered protected health information (PHI) protected under HIPAA. This means that when individuals access a website that requires no registration and search for information related to their medical condition (such as articles about the medical condition, meetings and conferences related to it, etc.), the combination of search data with an IP address or other online identifier may cause the collected information about them to be PHI.

 

According to the HHS guidance, since some users intend to receive information about a real medical condition, combining their browsing data with a unique identifier justifies the protection of this information. This is despite the fact there are other users who may browse the same website for alternative reasons, such as research or curiosity.

 

This HHS guidance addressed concerns regarding the collection of personal health information by healthcare providers (website administrators) and its transfer to online data technology providers used to track website visitors. These tracking technologies are employed to personalize content for users, who may encounter, for instance, advertisements for medications and health conditions while browsing online.

 

Implications of the HHS Guidance

The HHS guidance has restricted hospitals’ and other healthcare providers’ choice of vendors for providing third-party data analytics services to those that meet the stringent requirements and regulatory burden of HIPAA and HHS oversight. As a result, the guidance has made it more difficult for hospitals to operate their digital assets and track the personal health information collected through them.

 

In addition, hospitals that have used third-party data analytics services have faced class action lawsuits based on the guidance, alleging the unlawful transfer of PHI to service providers providing analytics on their website.

Legal Proceedings and Conclusions

Following its publication, hospitals appealed to the courts, arguing that the guideline required them to take into account aspects that were not in their control and not known to them, such as users’ purposes for browsing the site.

 

The court ordered the guideline vacated. The court clarified that expanding the definition of PHI to include online identification data and browsing data on sites that do not require registration grants excessive power to HHS and should not be allowed.

Implications of the Texas Court Ruling

The court ruling significantly increases the ability of online data analytics service providers to cater to healthcare organizations in the United States. This is a significant decision, especially for service providers who have suffered business loss due to the inability to provide for healthcare organizations, as well as for healthcare organizations wishing to offer information and services on their websites.

 

The ruling may be further reviewed and HHS guidelines on this matter may be updated in the future.

 

Barnea Jaffa Lande’s Privacy, Data Protection and Cyber Department is at your service for any questions regarding HIPAA requirements and the adaptation of your business activity to comply with data protection legislation in Israel, Europe, the United States, and other jurisdictions.

****

 

Dr. Avishay Klein is a partner and heads the department.

Adv. Masha Yudashkin is an associate in the department.

 

Tags: HHS | IP | Privacy