Caught within the Net: Hospital Associations Sue OCR on Third-Social gathering Net Monitoring Steering

On November 2, 2023, the American Hospital Affiliation and Texas Hospital Affiliation, together with the Texas Well being Sources and United Regional Well being Care System, filed swimsuit in opposition to the Secretary of the Division of Well being and Human Companies (“HHS”) and the Director of the HHS Workplace for Civil Rights (“OCR”) relating to OCR’s steerage on the usage of on-line monitoring applied sciences by HIPAA entities.[i] This motion and its outcomes will impression how healthcare entities should shield and should use sure data collected on their digital websites.

Lawsuit Particulars

As we coated in a earlier weblog submit, OCR launched steerage in December 2022 on the usage of monitoring applied sciences by HIPAA-regulated entities (the “Steering”).[ii] The lawsuit challenges the portion of the Steering that considers the usage of monitoring applied sciences on healthcare suppliers’ unauthenticated webpages to be topic to HIPAA. This consists of, for instance, linking an IP deal with with viewing particular well being situations or healthcare suppliers (the “Proscribed Mixture”). The criticism particularly alleges that the Steering, as utilized to unauthenticated public webpages: (1) exceeds HHS’s authority underneath HIPAA and the First Modification; and (2) fails to satisfy rulemaking necessities underneath the Administrative Process Act (“APA”). The criticism additionally factors out that third-party trackers will be discovered on the federal authorities’s personal coated entity company webpages.

The criticism states there’s a lack of cheap foundation to find out whether or not the Proscribed Mixture sufficiently identifies a person who visits a webpage for well being, care, or fee functions. For instance, a person might go to a medical situation webpage, however such a go to might not be in reference to the person’s healthcare or sought companies. By concluding the Proscribed Mixture constitutes individually identifiable well being data topic to HIPAA, plaintiffs allege OCR exceeded its authority. The criticism additionally alleges the Steering prohibits healthcare suppliers from disclosing details about the utilization of a public webpage on health-related subjects in violation of the First Modification.

With respect to the APA, the criticism alleges: (1) OCR’s reasoning used to find out the Proscribed Mixture is individually identifiable well being data is bigoted and capricious; and (2) the Steering is procedurally faulty as a result of it was promulgated with out a notice-and-comment interval and with out consulting hospitals and well being methods.

Key Takeaways

Notably, the criticism doesn’t take situation with the Steering with respect to monitoring applied sciences on authenticated websites. HIPAA-regulated entities ought to fastidiously consider the trackers current on such websites and decide the suitable plan of action. This will likely embrace eradicating the trackers or getting into right into a enterprise affiliate settlement with the monitoring entity.

Moreover, class motion lawsuits associated to the usage of trackers by healthcare suppliers proceed to pose a threat, whatever the end result of this lawsuit. Though sure HIPAA dangers could also be mitigated because of this lawsuit, when utilizing monitoring applied sciences, entities, particularly healthcare entities, ought to proceed to evaluate and monitor the knowledge being tracked and the strategies of monitoring to make sure finest practices, shopper safety legal guidelines and different privateness legal guidelines are met.

That is an evolving space of regulation, and Sheppard Mullin will proceed to intently monitor developments on this space.[iii] Entities with questions or looking for counsel can contact any member of our Healthcare Group or Privateness and Cybersecurity Group for help.

FOOTNOTES

[i] American Hospital Affiliation et al v. Melanie Fontes Rainer et al, No. 4:23-cv-01110-P (N.D. Tex. 2023).

[ii] Steering out there at: https://www.hhs.gov/hipaa/for-professionals/privateness/steerage/hipaa-online-tracking/index.html.

[iii] For extra data relating to notable FTC developments on this space, please see: https://www.eyeonprivacy.com/2023/07/regulators-send-warning-letter-to-hospitals-and-telehealth-providers-about-tracking-technology-use/.