Court Strikes Down HIPAA Web Tracking Guidance
In a case brought by the American Hospital Association (AHA), the U.S. District Court for the Northern District of Texas issued an opinion vacating the Department of Health and Human Services (HHS) guidance on the use of online tracking technologies under the Health Insurance Portability and Accountability Act (HIPAA), which suggests that information collected from unauthenticated website visitors could be considered protected health information (PHI) under HIPAA. The guidance was challenged by hospitals and healthcare providers, who argued it exceeded HHS’ statutory authority under HIPAA and imposed unreasonable compliance burdens. The Court agreed with the AHA and found that the guidance unlawfully expanded the definition of PHI to include data that could not reasonably identify an individual or their health condition without knowing the user’s subjective intent for the visit. They found that the guidance was not supported by HIPAA’s statutory language and exceeded the bounds of HHS’s regulatory authority. As a result, the guidance cannot be enforced and must be removed. However, the guidance related to the authenticated portion of a healthcare provider’s website still stands, and healthcare providers should still ensure that any web tracking on authenticated portions of the website complies with HIPAA.
You can keep up-to-date with Strategic Management Services by following us on LinkedIn
