A federal judge in Texas vacated federal guidance that clarifies how health-care providers can use online tracking technology without running afoul of health-care privacy regulations.
The US Department of Health and Human Services lacked authority to issue the March 18 guidance, which requires providers to take extra care to protect data that—the agency said—would allow third parties to identify website users who look up online information about their health-care conditions, Judge Mark T. Pittman of the US District Court for the Northern District of Texas said Thursday.
Pittman is a Trump appointee in Fort Worth whose been identified as a part of a “judge shopping” scheme created by conservatives looking to ensure that their challenges to Biden administration policies will be heard by sympathetic ears. Here, he accused the HHS of trying to grab power at the expense of covered entities required to comply with the Health Insurance Portability and Accountability Act’s privacy rule.
The case “isn’t really about HIPAA,” Pittman said. It’s “a case about our nation’s limits on executive power.”
Pittman concluded that vacating the provision, which renders it unenforceable throughout the country, was the most appropriate remedy available to the plaintiffs, including the American Hospital Association.
Changing Definition
HIPAA’s privacy rule requires providers to protect “individually identifiable health information,” which it defines as information that “relates” to a person’s health condition, receipt of care, or payment for services that can be used to identify them, Pittman said. The agency added an obligation to protect a “novel” category of information—online technology that connects a person’s IP address with a visit to a website that addresses specific health conditions or providers, he said.
The newly added data fell outside the unambiguous statutory definition, Pittman said. There’s no way for a provider to know why a person is looking at a particular website, and the agency’s addition of a “specific intent” requirement didn’t cure the problem, Pittman said. It only “compounds the conundrum for covered entities,” Pittman said. Providers still must change their practices, and a user’s reason for visiting a particular website is “unknowable,” he said.
Meta data is by nature de-identified, Pittman said. HIPAA is clear that health information that doesn’t identify the person and reasonably couldn’t be used to do so isn’t IIHI, he said.
The closest the “proscribed combination” comes to IIHI “is a speculative inference extrapolated from (but unsubstantiated by) collected metadata,” Pittman said. It “facially exceeds HIPAA’s unambiguous text,” he said.
“HHS tried to tweak the IIHI definition and got caught,” Pittman said in rejecting the agency’s added attempt to “gaslight” providers by arguing that HIPAA required them to protect this data all along. “With its hand in the cookie jar, the Department now backtracks,” he said.
Jones Day and Simmons Hanly Conroy represent the hospital associations. The US Justice Department represents HHS Secretary Xavier Becerra.
The case is Am. Hosp. Ass’n v. Becerra, N.D. Tex., No. 23-cv-1110, 6/20/24.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.