The American Hospital Association and allies in Texas have sued the U.S. Health and Human Services Office for Civil Rights seeking to block enforcement of a HIPAA guidance regarding online tracking technologies for customer relationship management.
WHY IT MATTERS
The lawsuit, filed Thursday in federal court in Fort Worth, Texas, argued that the rule “precipitously upended the balance that HIPAA and its regulations strike between privacy and information-sharing” and also runs contrary to the practices of several federal healthcare websites.
The Texas Hospital Association, Arlington, Texas-based Texas Health Resources, and Wichita Falls, Texas-based United Regional Health Care System joined the AHA as plaintiffs in the suit, which named OCR Director Melanie Fontes Rainer and HHS Secretary Xavier Becerra as defendants.
AHA and its partners are challenging a December 2022 guidance saying that covered entities and business associates are not allowed under HIPAA and the Federal Trade Commission’s Health Breach Notification Rule to use online tracking pixels on websites and mobile apps.
“A gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it, the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect,” the AHA says in the filing.
The organization also noted that federal sites including Medicare.gov, Tricare.mil, Health.mil and several websites run by the Veterans Health Administration use the same kinds of tracking tools OCR is seeking to ban.
“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information,” AHA President and CEO Rick Pollack said in a statement. “We cannot understand why HHS created this ‘rule for thee but not for me.'”
The organization said that a ban on collecting IP addresses from website visitors would render analytics software, patient-specific embedded video, embedded maps, and translation and accessibility services “ineffective,” throwing up a barrier to improved communication and patient service.
THE LARGER TREND
Healthcare organizations’ usage of third-party tools including Google Analytics and Meta Pixel has led to a number of class-action suits against vendors and health systems alike.
Notably, Advocate Aurora Health last year disclosed a pixel-related breach of as many as 3 million users of its MyChart patient portal and LiveWell website and app.
Novant Health said that a similar breach may have affected 1.3 million patients.
In the face of these suits and growing security concerns nationwide, HHS issued the guidance bulletin nearly a year ago.
The AHA publicly asserted its opposition to the rule in a September letter to the Senate Committee on Health, Education, Labor and Pensions.
ON THE RECORD
“Simply put, OCR’s new rule harms the very people it purports to protect,” said Pollack. “The federal government’s repeated threats to enforce this unlawful rule tie hospitals’ hands as trusted messengers of reliable healthcare information.”
Neil Versel is a freelance health IT journalist in Chicago. He has been a professional journalist since 1992, focusing on healthcare since 2000.
