Last month, the U.S. District Court for the Northern District of Texas issued a decision in American Hospital Association v. Becerra ruling that HIPAA-covered entities can use third-party tracking tools on unauthenticated web pages. This reverses previous OCR guidance that broadly defined such data as protected health information (PHI) and thus business associate agreements would be required. The court found the OCR’s stance on the “Proscribed Combination” of IP addresses and health-related webpage visits to be a legally unsupported overreach.
In the ruling, U.S. District Court Judge Mark Pittman emphasized that the case was about administrative authority rather than HIPAA specifics, stating:
“[T]his case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power… While the Proscribed Combination may be trivial to HHS, it is not for covered entities diligently attempting to comply with HIPAA’s requirements…”
The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued the federal government last November to challenge the legality of HHS’s “Online Tracking Bulletin,” which had disrupted health systems’ ability to use standard web technologies to capture IP addresses on public-facing webpages. The March 2024 Revised Bulletin from HHS OCR attempted to address those concerns, but the recent decision ruled that was unlawful. The judge found in favor of AHA’s stance that HHS overstepped its authority and that the guidance imposed unnecessary restrictions on essential technologies.
The case saw support from the healthcare community (seventeen state hospital associations and thirty hospitals and health systems filing friend-of-the-court briefs in support of the AHA and its co-plaintiffs). And its result has practical considerations for healthcare providers, including that providers can now use tracking tools on UPWs more freely (as long as HIPAA compliance is maintained). It is important to note the decision does not change HIPAA obligations for authenticated websites (tracking technologies on these pages must still comply with HIPAA), nor does it impact state laws or other federal regulations that may impose additional requirements.
This decision recognizes the practical challenges faced by healthcare providers in balancing compliance and technological use. Healthcare entities often provided health information to the public on websites utilizing third-party tools, such as Google and Social Media applications to utilize the data on the visits to its website in order to perform targeted outreach and understand the current health concerns within its community. The third-party vendors could often obtain unique identification information, such as an IP address. The AHA argued that requiring Business Associate agreements with third-party vendors created a regulatory burden and impacted their ability to efficiently and effectively provide quality healthcare services to their community. This decision should help all healthcare providers with improving access to needed services but assists with leveling the playing field for small and medium-sized providers who might not have the resources or be in a position to negotiate Business Associate agreements with large organizations.
In light of the decision, covered entities should continue adhering to best practices in tracking technology use and HIPAA compliance while keeping an eye on ongoing litigation, as it is possible that HHS may appeal the decision or seek new rulemaking to address the court’s concerns in the coming weeks and months.
How We Can Help
Our team of highly skilled healthcare professionals has worked with thousands of healthcare organizations. We specialize in navigating the complex healthcare landscape and can help you comply with new regulations, reduce your tax burden, explore new care models, and more. With our expertise and experience, can help you identify the risks and opportunities of every change within the healthcare industry.
If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.
Legal Line: This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.