The American Hospital Association filed a lawsuit on Thursday against the Health and Human Services Department over a rule that prohibits providers from using third-party web tracking services in certain situations.
The suit is in response to a bulletin HHS' Office of Civil Rights published in December 2022, which emphasized Health Insurance Portability and Accountability Act rules apply when someone's protected information is collected with tracking technologies and is shared with vendors. HIPAA-covered protected health information might include someone’s internet protocol address codes, HHS said in the bulletin.
AHA filed a suit in the U.S. District Court for the Northern District of Texas on Thursday alleging HHS' interpretation exceeds HIPAA and the government’s statutory and constitutional authority. The plaintiffs also alleged HHS failed to satisfy the requirements for agency rulemaking when publishing this bulletin because the policy is new, rather than clarification of existing policy.
“They [HHS] had never enforced this rule. They had never opened up investigations against hospitals in this way,” said Chad Golder, AHA’s deputy general counsel. “Their enforcement of this took hospitals completely by surprise.”
AHA was joined in the suit by the Texas Hospital Association, Arlington, Texas-based health system Texas Health Resources and Wichita Falls, Texas-based United Regional Health Care System.
HHS said in the bulletin that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of personally identifiable health information to tracking technology vendors or any other violations of the HIPAA Rules. For example, HHS said a provider delivering information to tracking technology vendors for marketing purposes without someone's HIPAA-compliant authorizations would be a violation.
The suit also alleges the federal government’s healthcare websites, including the Veterans Affairs Department and Military Health System, use third-party tracking services and do not comply with the new rule.
Third-party tracking companies use code on websites and mobile apps to gather potentially identifiable information on users. A study published in April from researchers at the University of Pennsylvania found that third-party tracking technology is present on 98.6% of hospital websites in the United States. The most popular third-party tracking codes on hospital websites send data to Meta, Google and Adobe, according to the researchers.
Earlier this summer, the Federal Trade Commission and Health and HHS sent letters to 130 health systems and telehealth providers regarding the privacy risks of third-party tracking technology.
HHS, United Regional Health Care System and Texas Health Resources did not immediately respond to requests for comment.