AHA refutes OCR’s attempt to overhaul online tracking rules

The American Hospital Association takes issue with recently updated rules from the HHS Office for Civil Rights regarding the use of online tracking tools by healthcare systems and other HIPAA Covered Entities.

The AHA told a federal court this month that OCR’s latest bulletin, which restricts covered entities and their business associates from using third-party web technologies that capture IP addresses on public web pages, is too broad and restrictive – and “health care providers could prevent vital health information from being communicated to the communities they serve.”

But this month, a Massachusetts high court is considering whether to move forward with two class-action lawsuits that would rely on the state’s 1968 Wiretap Act to allege that two hospitals violated patient privacy with their use of pixel tracking tools.

WHY IT MATTERS

Over the past month, OCR has updated its guidelines around the use of online tracking tools, such as those developed by Google and Meta, by HIPAA covered entities and business associates – replacing the previous 2022 guidance.

In the revised bulletin, OCR clarified that organizations “may engage a technology provider to perform such analyzes as part of the regulated entity’s health care operations,” reiterating that “sharing protected health information with providers without authorization is considered an unauthorized disclosure .”

Under OCR guidelines, disclosing PHI to tracking technology providers for marketing purposes without individuals’ HIPAA-compliant authorizations would constitute unauthorized disclosures.

The previous guidance warned that HIPAA-regulated entities that collect and transmit certain individually identifiable health information, including IP addresses, using tools such as Google Analytics and Meta Pixel could constitute a HIPAA violation of protected health information.

However, last Friday, the American Hospital Association told a federal court that the revised bulletin “merely confirms that the original bulletin was ‘substantive and procedurally unlawful’.”

“The mere fact that an online tracking technology links a user’s device IP address (or other identifying information) to a visit to a web page that addresses specific health conditions or lists health care providers is not a sufficient combination of information to constitute individually identifiable health information) if the visit to the web page is not related to an individual’s past, present or future health, health care, or payment for health care,” the AHA said.

This isn’t the first time the hospital group has objected to HHS’s efforts to limit the use of tracking tools in health care systems.

In October 2023, AHA sent a letter to the Senate Committee on Health, Education, Labor and Pensions stating that OCR’s rule on the use of online tracking tools violates HIPAA and could harm patients, and suggested that Congress would urge the agency to repeal the rule.

“HIPAA is more than sufficient to protect patient privacy and, if interpreted correctly, provides the right balance between the privacy of health information and the sharing of valuable information,” AHA told the HELP Committee.

Then in November, AHA filed a lawsuit against HHS for banning health care providers from using third-party web technologies that capture IP addresses on portions of their public web pages and other data.

In support of efforts to ban enforcement that restricts the use of pixel tracking tools, 17 state hospital associations and 30 hospital systems have filed friend-of-the-court briefs, AHA said.

“HHS has consistently directed hospitals to better serve these communities, driving hospitals’ purpose to ‘promote equity in health care for all, including members of historically underserved and underserved communities,'” the state hospital associations said in their report. Joint assignment filed with the court in January.

“But to serve as effective sources of trusted health information and reach broad audiences beyond their existing patient base, hospitals must be empowered to use the best tools available to ensure their websites deliver the right information to the right people. provide. , in a way they can trust and act on,” they said.

THE BIG TREND

But even if the AHA to call to action The new revisions are an “embarrassing tale of regulatory overreach” and seek to halt federal enforcement of an “illegal and ill-advised new rule.” State courts are trying to figure out the right way to address health care systems that use tracking technologies when it comes to patient privacy.

Reuters reported this month that the Massachusetts Supreme Court may be open to proposed class-action lawsuits related to online tracking — cases that use a new interpretation of a decades-old wiretapping law.

The separate class action lawsuits, filed by a single plaintiff, allege that two hospitals – Beth Israel Deaconess Medical Center and New England Baptist Hospital – violated the Massachusetts Wiretap Act, which was created in 1968, by allowing third parties to collect data collect about website users. .

According to the Reuters reports thisJudge Frank Gaziano was open to the idea that an old wiretapping law could apply to Internet tracking because state courts had already expanded their reach to new technologies like cell phones and text messaging in 2013.

“This case is about hospitals allowing technology companies to eavesdrop on highly sensitive communications between health care consumers and their medical providers,” Patrick Vallely, a plaintiffs attorney at Shapiro Haber & Urmy, said in the Reuters story.

Meanwhile, other healthcare systems in Massachusetts have already faced their own cases of pixel tracking in recent years, including Mass General Brigham, which settled one class action lawsuit for $18.4 million in 2022.

ON THE RECORD
The AHA, for its part, continues to protest federal rules that it believes are far too broad.

“The unprecedented rule that HHS adopted is divorced from its statutory text and its purpose, but is also practically unworkable and internally inconsistent – ​​not surprising for a rule that was hastily reworded in the crucible of litigation and remains a critically lacking public feedback,” the AHA said on April 11. .

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.