A federal court on Thursday ruled the Health and Human Services Department lacks the authority under the Health Insurance Portability and Accountability Act to prohibit providers from using third-party web tracking technologies on their websites in certain situations.
The U.S. District Court for the Northern District of Texas sided with the American Hospital Association and ruled that regulators lacked authority under HIPAA to enforce the rule. The court denied AHA’s request for permanent injunction but granted the hospital trade group's request for the rule to be vacated.
Read more: AHA alleges HHS policy ‘a gross overreach’ in lawsuit
The suit, filed in November, was in response to a bulletin HHS' Office of Civil Rights published in December 2022 and later updated in March that emphasized HIPAA rules apply when someone's protected information is collected with third-party tracking technologies and is shared with vendors. Third-party tracking companies use code on websites and mobile apps to gather potentially identifiable information on users.
HHS said in the bulletin that regulated entities, such as hospitals, were not permitted to use tracking technologies in a manner that would result in impermissible disclosures of personally identifiable health information to tracking technology vendors or any other violations of HIPAA. For example, HHS said a provider delivering information to tracking technology vendors for marketing purposes without someone's HIPAA-compliant authorization would be a violation.
In its suit, AHA alleged HHS' interpretation exceeded HIPAA and the government’s statutory and constitutional authority. AHA was joined in the suit by the Texas Hospital Association, Arlington, Texas-based health system Texas Health Resources and Wichita Falls, Texas-based United Regional Health Care System.
In an emailed statement, an AHA attorney said the organization was "pleased" with the ruling. HHS, Texas Hospital Association, Texas Health Resources and United Regional Health Care System were not available for comment.
In July 2023, the Federal Trade Commission and HHS sent letters to 130 health systems and telehealth providers regarding the privacy risks of third-party tracking technology.