The American Hospital Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued the federal government to bar enforcement of an unlawful, harmful, and counterproductive rule that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.
“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. We cannot understand why HHS created this ‘rule for thee but not for me,’” said Rick Pollack, AHA President and CEO.
Today’s lawsuit challenges a “Bulletin” issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) entitled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” This December 2022 “Bulletin” restricts hospitals from using standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages that address health conditions or health care providers. For example, under HHS’ new rule, if someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties.
Hospitals and health systems have long honored the core objectives of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), America’s primary health care privacy law. Congress enacted this law to strike a balance between protecting patients’ health information and ensuring the flow of information needed to provide communities with high quality care. The Bulletin, which HHS issued without consulting health care providers, third-party technology vendors, or the public at large, upsets HIPAA’s careful balance, preventing hospitals from using commonplace web technologies to analyze use of their websites and communicate effectively with the populations they serve.
As alleged in the complaint, HHS’ Medicare.gov, the Department of Defense Military Health System and Defense Health Agency, and various U.S. Veterans Health Administration sites continue to use these third-party technologies despite being covered entities under HIPAA. For example, forensic tools revealed that the Veterans Health Administration uses analytics and advertising tools on a wide range of sites, including online resources that describe the symptoms of post-traumatic stress disorder and point veterans to available treatment options. While dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.
Web tools that are ineffective without access to IP-address information include analytics software, video technologies that offers the public education and information on health conditions, translation and accessibility services and digital maps among others.
The suit alleges that HHS’ new rule exceeds its statutory authority under HIPAA. That statute allows hospitals to rely on third-party tools that capture IP address information because that information cannot reasonably be used to identify an individual whose health care relates to the webpage visit. By restricting use of these common tools on public-facing webpages on this basis, OCR violated HIPAA and has acted without legal authority. In addition, the suit alleges that OCR unlawfully issued this Bulletin without providing any reasoning supporting its novel legal assertions, without acknowledging the government’s own use of implicated third-party technologies, and without following required notice-and-comment rulemaking processes. Prior to issuing this rule, the federal government did not consult with hospitals and health systems about their use of third-party technologies that depend on the collection of IP addresses or the impact that its new rule would have on patients or communities. Instead, the agency began aggressively threatening regulatory enforcement and serious civil penalties against hospitals and health systems. After attempts to engage with HHS officials to educate them about the impact of their new rule, the AHA determined that it was necessary to file suit on behalf of its members to prevent the agency from unlawfully penalizing hospitals.