On Thursday, June 20, a Texas federal court judge ruled that HHS’ Online Tracking Technology Guidance, first released in December of 2022 and later modified in March 2024 is unlawful. This article covers that guidance and why the court found that HHS issued the online tracking technology guidance beyond the scope of its authority.
What Did the Online Tracking Technology Guidance Provide?
The online tracking technology guidance regulated HIPAA-covered entities’ use of tracking technologies to gather information about users and their actions, as these users interacted with a website or mobile app.
As the guidance explained, a tracking technology is a script or code on a website or mobile app that gathers information about users. Once this information is collected, the owner of the website or mobile app, or a third party, analyzes the information to create insights about users’ online activities.
The online tracking technology guidance noted that a user’s interaction with a site can create individually identifiable health information (IIHI). IIHI is information that is created or received by a healthcare provider, relates to an individual’s healthcare or payment for healthcare, and that identifies, or provides a reasonable basis from which to identify, an individual person.
(Note that PHI, the use and disclosure of which is regulated by HIPAA, is defined as IIHI that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium).
HHS, in the online tracking technology guidance document (both the one issued in 2022 and the modified 2024 guidance) expanded the definition of IIHI to include the combination of an individual’s IP address with their visits to healthcare providers’ unauthenticated public webpages (UPWs). In the online tracking technology guidance, HHS stated that such information would be regarded as PHI (and thus, falling within the scope of HIPAA’s privacy and security protections), if the user was visiting an unauthenticated public webpage (UPW). An unauthenticated webpage, in contrast to a user-authenticated webpage, does not require a user to log in before the user can access the webpage.
What Did the Court Decide?
The question before the court was, “When an online technology connects an individual’s IP address with a visit to an unauthenticated public webpage (UPW) that addresses specific health conditions or health care providers, does the combination of information constitute individually identifiable health information (IIHI)?”
The court held that whether the information constitutes IIHI (which is subject to HIPAA’s use and disclosure regulations) is impossible to determine. The court found that to prove that a user’s IP address, in combination with information obtained by a user by going to the authenticated website, was IIHI, you would need to determine that the web visitor intended to obtain information as it related to their health. (Recall that the definition of IIHI is “information that relates to an individual’s healthcare or payment for healthcare).
“An individual’s healthcare” means “a specific individual’s healthcare” – here, the individual using the website. In contrast, if the reason for the website visit was not “related to an individual’s past, present, or future health, healthcare, or payment for healthcare,” no IIHI was created.
It All Depends
With the distinction of what is IIHI and what is not IIHI in mind, the court asked, “How can it be proven that the reason for a person’s visit was to obtain information about that person’s own health, as opposed to for some other reason?
The court held that it is impossible to determine the reason for a user’s visit. The reason for a user’s visit depends on that person’s subjective intent: why was that person visiting the site at a particular moment in time? For what purpose?
Since HHS and covered entities are not mind readers, there was no possible way to determine whether the user was visiting the site in a manner that created IIHI, or was visiting it in a manner that did not.
Adding to the determination problem was the fact that the visit was to an unauthenticated site – a site for which a login is not required. When a user visits a user-authenticated webpage, such as a patient or health plan beneficiary portal, the user must first log in to gain access. This “logging in” creates an inference that the user is visiting the page to look up the user’s own information.
When a user goes to an unauthenticated webpage, that inference is not created. No one knows why the user is visiting the page – that reason is locked up in the user’s brain. The covered entity has no way of knowing if the user is visiting for reasons related to the user’s own past, present, or future health, healthcare, or payment for healthcare, and therefore has no way of knowing whether IIHI has been created.
The court held that HHS’ declaration that a user who visits an unauthenticated webpage to look up information, regardless of whether the person was visiting to obtain information about their own health, found no support in the HIPAA law or regulation. Therefore, the court declared the online tracking technology guidance to be unlawful and vacated (annulled) the guidance.
The effect of the decision is that the definition of IIHI will retain its pre-December 2022 meaning, as it relates to information collected from visitors of unauthenticated web pages of covered entities.
What Happens Now?
The court that vacated the online tracking technology guidance is a trial-level court. The decisions of trial-level courts may generally be appealed to an appeals court. As of this writing, HHS has not responded to the court decision, nor has HHS indicated whether it intends to appeal the decision. If HHS appeals the decision, the trial court has the discretion to “stay” its decision – to not make its holding that the guidance was illegal take effect until the appeal is filed or decided.
Compliancy Group will keep readers informed of any developments with respect to the court’s vacating the guidance.
