In response to the December bulletin, on May 23, 2023, the American Hospital Association (“AHA”), a trade association representing hospitals, healthcare systems, networks, and other providers of care, sent a letter to OCR. In the letter, AHA asked the agency to either set aside or amend the December bulletin on the grounds that the provided guidance was too broad, particularly the definition of personal health information, and would “inadvertently impair access to credible health information.” In July 2023, OCR and the Federal Trade Commission jointly issued a letter to around “130 hospital systems and telehealth providers” warning them of the use of tracking technologies on their websites and to monitor the flow of health data even if the entity is not covered under HIPAA.
American Hospital Association Files Lawsuit Against HHS
On November 2, 2023, AHA, Texas Hospital Association, Texas Health Resources, and United Regional Health Care System joined together to file a lawsuit against HHS and OCR regarding the issuance of the December bulletin. The plaintiffs seek to enjoin the enforcement of the December bulletin, to set aside the definition of individually identifiable health information (IIHI) provided in the bulletin, and to declare the bulletin definition of IIHI as a non-statutory and regulatory definition. Below is a highlight of the claims from which the plaintiffs are seeking relief:
Exceeds Authority and is Contrary to the Law
The plaintiffs allege that the December bulletin definition of IIHI is an impermissible expansion of the term by OCR. In the complaint, the plaintiffs describe how in the December bulletin, the OCR defines IIHI that is subject to HIPAA to include instances when online technology connects “(1) an individual’s IP address with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers, that combination of information”.
The plaintiffs highlight that OCR’s expanded IIHI definition was published in such haste that the agency failed to assess federal healthcare provider websites, such as Medicare and the US Department of Veteran Affairs, which contained embedded third-party analytics and advertising tools. Based on the December bulletin’s IIHI definition, the use of such embedded software on federal healthcare websites would subject the collected data to HIPAA.
Arbitrary and Capricious Rulemaking
The plaintiffs further allege that the December bulletin definition of IIHI is “arbitrary and capricious”. The plaintiffs allege that OCR failed to provide any legal analysis or support for the sudden change in IIHI definition. Rather, the agency “baldly asserts that the IIHI definition is satisfied because there is an ‘indicative’ ‘connection’ between a particular individual who visits a hospital’s Unauthenticated Public Webpage and the specific health condition or healthcare provider discussed on that webpage”.
Failure To Undertake Notice and Comment Rulemaking
The plaintiffs also allege that OCR failed to follow procedures of rulemaking and did not provide a notice and comment period. The plaintiffs challenge the idea that the December bulletin was “mere interpretive guidance document”. Instead, they frame the bulletin as an attempt by OCR to create “a novel, binding norm that transforms healthcare providers’ obligations under HIPAA”, without consulting the parties that would be affected by the new definition.
In a post-Dobbs decision privacy landscape, the protection of consumer health data has taken on a new sense of urgency and importance. In 2023, there were several high profile enforcement actions related to consumer health data, such as GoodRx and BetterHelp, as well as renewed push to modernize health data protection laws, such as the Health Breach Notification Rule and HIPAA. At the state legislative level, most notably Washington state passed the My Health, My Data Act. Against such a backdrop, it remains to be seen how the lawsuit filed by AHA and its co-plaintiffs will unfold in 2024.