chevron-down Created with Sketch Beta.


Hospitals Sue HHS and OCR Over December Bulletin on HIPAA-Compliant Use of Pixel

Kewa Jiang

Hospitals Sue HHS and OCR Over December Bulletin on HIPAA-Compliant Use of Pixel
JGI/Tom Grill via Getty Images

Background: Hidden tracking technologies, Health Data, and the HHS 

In June 2022, The Markup, a technology-focused investigative news organization, revealed that Meta Pixels were embedded in the websites of several American hospitals, including on website pages only accessible after entering user authentication. The Markup discussed that embedded Pixels were used to transfer a user’s interaction with a hospital’s website, such as IP address and doctor’s name, to Meta and other third-party companies. In the wake of the Markup's article, there were widespread consumer privacy concerns and outrage leading to class action lawsuits being taken against hospitals that allegedly used Meta Pixels.

In December 2022, the Department of Health and Human Services (“HHS”)’s Office of Civil Rights (“OCR”), which enforces the Health Insurance Portability Accountability Act (“HIPAA”), issued a bulletin guidance (“December bulletin”) about the appropriate use of Meta Pixels by covered entities and business associates. The bulletin provided definition of the types of data collected by Pixels that may be considered personal health information, such as IP addresses of potential patients that do not have existing relationships with a covered entity. HHS also outlined procedures covered entities could implement to remain compliant with HIPAA while using tracking technologies, such as signing a business associate agreement with tracking technology vendors.

In response to the December bulletin, on May 23, 2023, the American Hospital Association (“AHA”), a trade association representing hospitals, healthcare systems, networks, and other providers of care, sent a letter to OCR. In the letter, AHA asked the agency to either set aside or amend the December bulletin on the grounds that the provided guidance was too broad, particularly the definition of personal health information, and would “inadvertently impair access to credible health information.” In July 2023, OCR and the Federal Trade Commission jointly issued a letter to around “130 hospital systems and telehealth providers” warning them of the use of tracking technologies on their websites and to monitor the flow of health data even if the entity is not covered under HIPAA.

American Hospital Association Files Lawsuit Against HHS

On November 2, 2023, AHA, Texas Hospital Association, Texas Health Resources, and United Regional Health Care System joined together to file a lawsuit against HHS and OCR regarding the issuance of the December bulletin. The plaintiffs seek to enjoin the enforcement of the December bulletin, to set aside the definition of individually identifiable health information (IIHI) provided in the bulletin, and to declare the bulletin definition of IIHI as a non-statutory and regulatory definition. Below is a highlight of the claims from which the plaintiffs are seeking relief:

Exceeds Authority and is Contrary to the Law

The plaintiffs allege that the December bulletin definition of IIHI is an impermissible expansion of the term by OCR. In the complaint, the plaintiffs describe how in the December bulletin, the OCR defines IIHI that is subject to HIPAA to include instances when online technology connects “(1) an individual’s IP address with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers, that combination of information”.

The plaintiffs highlight that OCR’s expanded IIHI definition was published in such haste that the agency failed to assess federal healthcare provider websites, such as Medicare and the US Department of Veteran Affairs, which contained embedded third-party analytics and advertising tools. Based on the December bulletin’s IIHI definition, the use of such embedded software on federal healthcare websites would subject the collected data to HIPAA.

Arbitrary and Capricious Rulemaking

The plaintiffs further allege that the December bulletin definition of IIHI is “arbitrary and capricious”. The plaintiffs allege that OCR failed to provide any legal analysis or support for the sudden change in IIHI definition. Rather, the agency “baldly asserts that the IIHI definition is satisfied because there is an ‘indicative’ ‘connection’ between a particular individual who visits a hospital’s Unauthenticated Public Webpage and the specific health condition or healthcare provider discussed on that webpage”.

Failure To Undertake Notice and Comment Rulemaking

The plaintiffs also allege that OCR failed to follow procedures of rulemaking and did not provide a notice and comment period. The plaintiffs challenge the idea that the December bulletin was “mere interpretive guidance document”. Instead, they frame the bulletin as an attempt by OCR to create “a novel, binding norm that transforms healthcare providers’ obligations under HIPAA”, without consulting the parties that would be affected by the new definition.

Looking Ahead

In a post-Dobbs decision privacy landscape, the protection of consumer health data has taken on a new sense of urgency and importance. In 2023, there were several high profile enforcement actions related to consumer health data, such as GoodRx and BetterHelp, as well as renewed push to modernize health data protection laws, such as the Health Breach Notification Rule and HIPAA. At the state legislative level, most notably Washington state passed the My Health, My Data Act. Against such a backdrop, it remains to be seen how the lawsuit filed by AHA and its co-plaintiffs will unfold in 2024.