Unpacking the AHA Lawsuit: HIPAA, PHI, and the Path Forward for Healthcare Marketers
We have big news out of US District Court in Texas, where a federal judge has substantially ruled in favor of the American Hospital Association (AHA) in their lawsuit against the Department of Health and Human Services (HHS). Why is this big news? Because at face value, this ruling goes right to the heart of the expansion of HIPAA data privacy regulations that has so disrupted digital marketing practices for healthcare organizations since November of 2022, but face value can be deceiving. I think there is clear reason to believe that this ruling is not quite the victory for healthcare organizations that it initially appears. So, let’s dig into the ruling, its details and implications, and talk about how HIPAA covered entities might act or react in response.
History of HHS Guidance
First, how did we get here? Let’s start with a little history. In November of 2022, the Office of Civil Rights at HHS issued new guidance related to the use of digital tracking technologies by HIPAA covered entities. Until this new guidance was published, it was understood that the HIPAA Privacy Rule, and that protected health information, pertains to patient data. You’re a patient, you’re visiting a website, you’re reviewing your or accessing your medical records, you’re perhaps sending a message to a physician, you’re making an appointment. That was all clearly protected health information (PHI). That’s what was protected by the HIPAA Privacy Rule.
The new guidance from the OCR expanded the definition of protected health information to include a new subcategory, or a new designation, called individually identifiable health information, which the OCR defined as the combination of an identifier and the behavior of a visitor on a website. Now, importantly, this definition didn’t pertain just to patients and their activity on a site. It pertained to any visitor to a website. So, an unknown visitor to a website, whose IP address can be identified and the pages that visitor accessed, now were considered potentially to be PHI, in particular, if those pages visited included information about the past, present, or future healthcare, treatment, or symptoms of that visitor. So, anonymous visitor whose IP address can be identified, visits a page that talks about the symptoms of a particular form of cancer, maybe begins to look for a physician, that now is considered PHI.
The impact of this new rule was seismic because it rendered, for all intents and purposes, virtually all third-party tracking technologies to be violations of the HIPAA Privacy Rule. Third-party tracking technologies collect IP address by default in most instances. User journey information, the URLs that are visited by a visitor, are collected by third-party tracking technologies. Overnight, analytics platforms that were almost universal, advertising tracking technologies and tags, were all considered to be HIPAA violations. The impact in the industry was seismic. Almost immediately, class action lawsuits were filed against HIPAA covered entities that used Google Analytics, for example, with a Meta pixel or other advertising tracking technologies because on its face, based on this new ruling, those technologies were HIPAA violations.
HIPAA Covered Entities Respond
HIPAA covered entities responded in a myriad of ways, some acting very quickly and aggressively to remove virtually all tracking technologies, including analytics and all third-party tracking tags. Some took a wait and see approach, but virtually all worked as quickly and diligently as they could to identify new analytics solutions, new tracking technologies, new approaches to advertising that would enable them to continue their marketing activities in a way that made them sure and confident that they would not violate the HIPAA Privacy Rule, so massive impact to the industry.
Understanding the AHA Lawsuit
In the midst of all of this, the American Hospital Association filed suit against the HHS. Their challenge, their assertions, were along two lines. First, they argued that the prescribed combination, which is what the judge in this ruling called the combination of IP address and the URLs visited by a visitor, the prescribed combination creates a new legal obligation that’s beyond HIPAA’s requirements. Second, they contended that the HHS actually exceeded its authority under HIPAA, and importantly, that they violated what’s called the Administrative Procedure Act, in that they created a de facto legal burden without any opportunity for judicial review.
HHS, for their part, argued the bulletins were just guidance and not final agency action, and therefore they were within their authority, essentially asserting that this was just advice on their part and didn’t have the force of law. The judge in this case absolutely disagreed, writing, “The court knows a law when it sees one, and the prescribed combination is a law. Thus the revised bulletin is a final agency action subject to judicial review.”
HHS argued that the opportunity for judicial review would occur during enforcement, so if you receive a violation notice during that enforcement process, that would be the opportunity for judicial review. The court didn’t buy that either. By the way, it’s worth noting that the judge referred to the revised bulletin. This is an update to the November 2022 OCR guidance that was published in March of 2024, which the judge in his ruling noted was published just days before final briefs were due in this case, which the judge clearly didn’t appreciate and viewed with some significant degree of skepticism. The court, in its ruling, declared that the prescribed combination in the HHS revised bulletin was unlawful. The court held prescribed combination exceeds HHS as statutory authority under HIPAA because it expands the definition of individually identifiable health information beyond the previously clearly defined limits in the HIPAA statute.
The court granted the hospital’s request to vacate the prescribed combination provision in the HHS revised bulletin, in order to reestablish the status quo prior to what the court called the unlawful agency action. The ruling was really focused on this prescribed combination, IP address and URL visited by previously anonymous visitor. Importantly, the court denied the hospital’s request for a permanent injunction against enforcement of the prescribed combination, finding that to be a, “unnecessarily drastic remedy,” meaning the door is still open for HHS to take another run at this. Another significant quote from the ruling, “No matter how sound the prescribed combination may be as a matter of policy, it is improper as a matter of law.” I think that language is significant. The judge is saying it may be sound to include the prescribed combination in your guidance, in your regulations, but you did it wrong. You did it in an improper manner.
How Should HIPAA Covered Entities React?
What does all this mean? How should HIPAA covered entities act or react in the face of this ruling? First, this is not legal advice. This is opinion based on years and years of working with some of the largest and most sophisticated HIPAA covered entities in the country. It’s important to remember that this is largely an administrative ruling related to the APA. The judgment isn’t the rule is wrong, the judgment says you went about it wrong and leaves the door open for HHS to try again. Second, there is likely to be an appeal. In fact, there’s almost certainly going to be an appeal. An appeal would take 12 to 18 months, I would think. In parallel with that appeal, there is likely to be a stay of this ruling, and so it’s not really going to change anything for HIPAA covered entities in the near term, even if the judgment is ultimately upheld.
I would also say that regardless of what happens at a federal level, regardless of what continues to be included in the guidance from the OCR, it is still true that 19 states have very significant privacy regulations. Some, like California’s CCPA, are significantly more restrictive than the HHS OCR guidance. There are 14 more states that are in process of drafting and legislating their own privacy regulations. There also remains the ongoing risk of sharing sensitive data with third-party platforms and getting fined or sued for it. That happens with some regularity. The lawsuits and fines are related to data breaches and data sharing issues that remain major risks, regardless of whether the combination of IP address and URL is considered to be PHI.
On a related note, in terms of reliance on third-party tracking, third-party tags, third-party cookies, it is still true that we all will have to reckon in the near future with the deprecation of third-party cookies by Google for their Chrome browser. Firefox and Safari already don’t support third-party cookies. With Google moving to deprecate support for third-party cookies, at least client-side third-party cookies in Chrome, you’ll now have the overwhelming majority of browsers in the world not support supporting third-party tracking.
Our Recommendations
In light of this ruling, what should HIPAA covered entities do? Well, I would suggest, I would strongly recommend, that you continue as you are, continue on the path of privacy first, data collection, privacy first data storage, and implementing solutions that enable you to absolutely control data sharing with third parties. Continue to develop and cultivate first-party data strategy. If you continue on this path, if you continue to develop your ability to understand and target audiences with first-party data, with zero-party data, with your own data, if you continue to understand and improve your ability to report on the performance of your marketing activities, relying on your own data stores and not on third parties, and this ruling is upheld, and the prescribed combination is held to be illegal, and you now have the option to continue to use third-party tracking and third-party platforms, it will be just that. It will be an option and not a need.
You will have developed mature and sophisticated understanding and ability to use first-party data. You will have developed a privacy first approach to data collection, data storage, and data sharing. You will have gained a much deeper understanding of the efficacy of your own marketing and advertising activities, relying on your own data stores and your own analysis, and you will have the option to use third-party platforms and third-party tracking, and not the need to use third-party platforms and third-party tracking. Something that I think remains a risk and problematic in the face of shifting privacy regulations and what sometimes are the capricious changes that those third-party platforms make that can have such a dramatic impact on the data that is available to us for targeting, tracking, and analysis. I hope this video has been useful. Please don’t hesitate to reach out with any questions or comments. Happy to chat with you and be helpful in any way we can. Thanks very much for your time and attention.
Related Links
Questions or comments
Please let us know if you have questions or suggestions for other topics that would be valuable for us to cover in this area by emailing intros@wheelhousedmg.com.
