This is “A MoFo Privacy Minute,” where we will answer the questions our clients are asking us in sixty seconds or less.
Question: HHS voluntarily dismissed its appeal in the online tracking technology lawsuit; where does that leave the litigation and what should my business know?
Answer: In an abrupt turn of events, HHS has abandoned its fight regarding regulated entities’ use of online tracking tools on unauthenticated webpages. But that is unlikely to stop the wave of “wiretap” lawsuits over the same technologies.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on August 19th filed a notice of appeal to the Fifth Circuit of the June 2024 federal district court decision in American Hospital Association (AHA) v. Becerra, which vacated certain portions of the OCR guidance on the use of third-party tracking technologies by HIPAA-covered entities and business associates (“regulated entities”). However, just 10 days later, HHS filed a motion to voluntarily dismiss the appeal.
For now, the withdrawal appears to be a significant victory for regulated entities. However, questions still remain about the impact of the withdrawal on current litigation and investigations. Below we summarize background regarding the American Hospital Association (AHA) v. Becerra ruling and key implications of HHS’s decision not to appeal the ruling.
In December 2022, OCR issued guidance that an individual’s IP address combined with a visit to an unauthenticated webpage (i.e., websites that do not require a login or user verification) about specific health conditions or providers may constitute protected health information (PHI) and thus trigger HIPAA obligations. After the AHA challenged the guidance in court, OCR revised its guidance in March 2024, confusingly introducing a subjective standard. In its updated guidance, OCR required regulated entities to determine the intent of a website or app user to assess whether information collected by tracking technology constitutes PHI insofar as it relates to that user’s health, healthcare, or payment for healthcare. (See our client alert on OCR’s March 2024 update.)
A Texas federal district court held that HHS exceeded its authority with the guidance. The court vacated the portion of the guidance regarding public pages of regulated entities’ websites, ruling that such information falls outside HIPAA, as it neither relates to an individual’s health nor identifies the individual. (See our client alert on the court decision.)
In sum, while the withdrawal of the appeal is potentially a sign of shifting tides, regulated entities should continue to proceed with caution when using online tracking technologies. Regulated entities must still consider: (1) providing clear and conspicuous notice of any tools in use on their webpages through cookie banners or other disclosures, (2) minimizing or eliminating the use of tracking technologies on authenticated webpages, and (3) auditing the use of any online tracking technologies to assess the scope of the data collected and mitigate the risk of litigation and regulatory inquiry.
For more MoFo Privacy Minutes visit our resource center.