AHA files suit against against HHS over online tracking rules

The American Hospital Association and allies in Texas have sued the U.S. Health and Human Services Office for Civil Rights to block enforcement of a HIPAA directive regarding online tracking technologies for customer relationship management.

WHY IT MATTERS
The court casefiled Thursday in federal court in Fort Worth, Texas, argued that the rule “abruptly upset the balance that HIPAA and its regulations strike between privacy and information sharing” and also conflicts with the practices of several federal health care websites.

The Texas Hospital Association, Arlington, Texas-based Texas Health Resources, and Wichita Falls, Texas-based United Regional Health Care System joined the AHA as plaintiffs in the lawsuit, which includes OCR Director Melanie Fontes Rainer and HHS secretary Xavier Becerra were named as defendants.

AHA and its partners are challenging a December 2022 guidance stating that covered entities and business associates are not permitted under HIPAA and the Federal Trade Commission’s Health Breach Notification Rule to use online tracking pixels on websites and mobile apps .

“In a gross overreach by the federal bureaucracy, imposed without any input from the public or the health care providers most affected by it, the HHS rule exceeds the government’s statutory and constitutional authority, fails to meet the requirements for rulemaking by agencies, and harms the very people it claims to protect,” the AHA says in the filing.

The organization also noted that federal sites, including Medicare.gov, Tricare.mil, Health.mil and several Veterans Health Administration websites, use the same types of tracking tools that OCR is trying to ban.

“The Department of Health and Human Services’ new rule limiting the use of critical third-party technologies has real consequences for the public, who now lack access to essential health information,” AHA President and CEO Rick Pollack said in a statement . . “We cannot understand why HHS created this ‘rule for you, but not for me’.”

The organization said a ban on collecting IP addresses from website visitors would make analytics software, patient-specific embedded video, embedded maps and translation and accessibility services “ineffective”, creating a barrier to improved communications and patient service.

THE BIG TREND
Healthcare organizations’ use of third-party tools, including Google Analytics and Meta Pixel, has led to a number of class action lawsuits against both providers and healthcare systems.

Notably, Advocate Aurora Health disclosed a pixel-related breach last year involving as many as 3 million users of its MyChart patient portal and LiveWell website and app.

Novant Health said that a similar infringement 1.3 million patients may be affected.

In light of these lawsuits and growing security concerns across the country, HHS issued the guidance bulletin nearly a year ago.

The AHA publicly stated its opposition to the rule in a September letter to the Senate Committee on Health, Education, Labor and Pensions.

ON THE RECORD
“Simply put, OCR’s new rule hurts the very people it claims to protect,” Pollack said. “The federal government’s repeated threats to enforce this unlawful rule tie the hands of hospitals as trusted messengers of reliable healthcare information.”