Posted on 
September 4, 2024

What the AHA Lawsuit Ruling Means for the Future of Privacy in Healthcare - a Q&A with Legal Expert Jennifer Pike

In healthcare, data privacy requirements are rapidly evolving. Recent changes in HIPAA regulations, coupled with the AHA’s lawsuit against HHS, the rise of state-level privacy laws, and increased scrutiny from the FTC, have left many healthcare providers and marketers uncertain about how to proceed. To make matters more complicated, the risk of class action lawsuits is growing, with more than 200 cases filed in just the past two years.

In this article, we’re sharing clips from a recent webinar with Jennifer Pike, a healthcare lawyer with Alston & Bird, to unravel the complexities of these issues. From the implications of the latest court ruling on HHS guidance to the emerging role of state laws and the FTC's growing involvement, Jennifer provides timely and practical insights. 

Whether you’re grappling with how to comply with new regulations, concerned about potential litigation, or just trying to understand the shifting landscape, this conversation offers valuable guidance on how to navigate these turbulent waters.

Read on as we explore key questions and actionable advice that can help your organization stay ahead of the curve in an increasingly regulated environment.

Key Questions:

How did you initially react to the headlines and social media buzz surrounding the recent court ruling on HHS’s guidance on web tracking technologies?

In Jen's point of view, the headlines and social media buzz about the recent court ruling caused confusion. Many people believed that the OCR’s tracking policy was completely overturned, but that’s not what actually happened. The reality of the ruling was much more nuanced than the headlines suggested.

Can you start by explaining the basics of HIPAA, who it applies to, and why it’s important, especially in the context of the recent ruling on online tracking technologies?

In Jen's point of view, understanding the basics of HIPAA is crucial, especially when it comes to online tracking technologies. HIPAA regulates "covered entities" like healthcare providers and their business associates, requiring them to safeguard Protected Health Information (PHI). PHI only applies to health information when it's handled by these specific entities. 

For example, when a healthcare provider shares PHI with a vendor like Google or Facebook without a Business Associate Agreement (BAA), they could be in violation of HIPAA. The responsibility ultimately lies with the covered entity to ensure compliance, particularly in the context of tracking technologies.

This lawsuit and the recent court ruling may be new, but the conversation around web tracking technologies and healthcare has been evolving for some time. Can you walk us through how we got to this point, starting from when these issues first began to surface?

The conversation around web tracking technologies in healthcare has been evolving since June 2022, when an investigation revealed that many top hospitals were using tracking technologies on their websites, including appointment and patient portal pages. This led to government guidance, enforcement actions, and class action lawsuits against social media companies and healthcare providers. 

The AHA lawsuit against OCR’s enforcement led to a revised version of the guidance and, eventually, a court ruling in June 2024 that vacated a narrow part of it, but left much of the guidance intact.

Before the recent court ruling, what were the key elements of the HHS guidance on web tracking technologies that healthcare organizations needed to be aware of?

According to Jen, the HHS guidance before the court ruling required that any PHI generated from a covered entity's website must comply with HIPAA, just like any other PHI. This meant that if a vendor was providing analytics or marketing services, a Business Associate Agreement (BAA) was necessary, and using the information for marketing required patient consent. 

The controversy centered on defining what constitutes PHI, especially on unauthenticated websites, which don’t require login credentials. The original guidance introduced the concept of a "proscribed combination," where a user's IP address plus their visit to an unauthenticated webpage could be considered individually identifiable health information, and thus PHI.

Can you explain the criteria that determine when health information is classified as PHI under HIPAA, and why this distinction is important?

Health information is only considered PHI under HIPAA if it meets the specific definition of Individually Identifiable Health Information (IIHI). This requires the information to both relate to an individual's healthcare and identify the individual. If it doesn't meet both criteria, it cannot be classified as PHI.

Can you clarify the specifics of what the recent court ruling actually did and didn’t change in the HHS guidance, particularly regarding the 'proscribed combination' and its implications?

In Jen's point of view, the recent court ruling made a specific and narrow change to the HHS guidance by vacating the definition of the "proscribed combination," which referred to an IP address combined with a visit to an unauthenticated website as PHI. 

However, the rest of the guidance remains intact, including the provisions related to authenticated web pages. The court also refused to prohibit OCR from enforcing the guidance in the future. Importantly, this ruling is specific to a HIPAA definition and does not affect state laws, FTC authority, or the potential for class action consumer lawsuits.

To sum up the recent court ruling, has there been any significant change in how healthcare organizations should operate concerning the HHS guidance, or are things largely the same as before?

According to Jen, despite the confusion, the court ruling hasn’t significantly changed how healthcare organizations should operate.

What potential actions do you think HHS might take in response to the recent court ruling, and how could these affect the future of the guidance?

In Jen's point of view, HHS is evaluating its options in response to the court ruling, which could include revising the guidance or appealing. Most of the guidance remains intact, and OCR still has enforcement power.

Update: On August 19, 2024, OCR filed an appeal of Judge Pittmann’s decision with the Fifth Circuit Court of Appeals. OCR then dropped its appeal just 10 days later, on August 29, 2024.

Can you clarify the concept of the 'proscribed combination' that was affected by the court ruling, and what types of data might now be okay to share under HIPAA that previously were considered PHI?

The court ruling knocked out the "proscribed combination" of an IP address and a visit to an unauthenticated webpage as PHI. The ruling clarified that this data can only infer healthcare information, which doesn't meet HIPAA's strict criteria for PHI. As a result, such data may no longer be considered PHI under HIPAA.

Does the court ruling mean that it's now permissible to freely share IP addresses under HIPAA, or are there still other considerations we need to be aware of?

In Jen's point of view, the court ruling doesn't mean it's now permissible to freely share IP addresses under HIPAA. Other authorities, like State Attorneys General, the FTC, and consumers bringing class actions, still need to be considered.

How is the FTC currently approaching privacy issues in healthcare, particularly in light of the recent ruling on HHS guidance?

The FTC is highly concerned about privacy issues in healthcare, and they may step up their enforcement. The FTC is not bound by the HIPAA ruling and has been actively enforcing privacy through the FTC Act and the Health Breach Notification Rule, impacting both for-profit and nonprofit entities. Recent settlements show that the FTC is increasingly prohibiting the sharing of information for advertising without affirmative consumer consent.

How is the FTC approaching privacy enforcement in healthcare, particularly regarding the combination of IP addresses and contextual information, and what impact has this had on companies like BetterHelp?

According to Jen, the FTC is aggressively enforcing privacy rules in healthcare, including around the combination of IP addresses and contextual information. This has led to significant settlements, like with BetterHelp, where the FTC found that sharing such data without affirmative consent was a deceptive trade practice. The impact on companies is severe, as they may be barred from using this data for advertising, effectively crippling their digital marketing strategies.

What are the FTC's primary concerns regarding the use of tracking technologies in healthcare, and how do they see these issues affecting consumer privacy?

In Jen's point of view, the FTC is concerned that tracking technologies in healthcare are often invisible to users, even when cookie banners are present. They worry about the lack of clarity in data collection and use, and the difficulty in truly anonymizing data. The FTC highlights that users often don’t know what happens to their data once it’s shared with third parties, raising significant privacy issues.

Beyond federal regulations like HIPAA and FTC enforcement, how are state-level privacy laws evolving to address gaps in consumer health data protection, and what should healthcare organizations know about these emerging laws?

State-level privacy laws are evolving to fill gaps in protecting consumer health data that HIPAA doesn't cover. States like California are leading the way by giving consumers more control over their data, including the right to delete information and opt-in consent requirements. However, these varying state laws create a complex patchwork that healthcare organizations must navigate carefully.

As state-level privacy laws continue to emerge, how are they addressing gaps in health data protection, especially considering many of them have HIPAA exemptions?

According to Jen, many state laws exempt the data that comprises PHI from their regulations, but not the healthcare entity itself. If certain data, like an IP address, is no longer considered PHI, it may fall under state regulations, creating new compliance challenges for healthcare organizations. This complexity means the situation hasn't been simplified.

We've noticed an increase in class action lawsuits targeting healthcare organizations. Can you explain how these lawsuits are coming about and why they're gaining traction?

In Jen's point of view, class action lawsuits against healthcare organizations are gaining traction because they often lead to settlements. Plaintiff lawyers can easily find tracking technologies on websites, which makes filing these lawsuits straightforward. With over 200 cases filed in just two years, the frequency of settlements has encouraged more lawsuits.

You mentioned earlier that changes in HHS guidance may not impact state-level laws, FTC actions, or class action lawsuits. Can you explain why alterations to HIPAA don’t necessarily affect the ability to pursue these lawsuits in healthcare?

In Jen's point of view, changes in HHS guidance don't affect state laws, FTC actions, or class action lawsuits because these lawsuits rely on private rights of action and other laws like the Video Privacy Protection Act and state wiretap laws. HIPAA violations alone don’t allow individuals to sue healthcare entities, but these other legal avenues do, often with significant statutory damages.

With all the complexities surrounding HIPAA, FTC regulations, and state privacy laws, what practical advice can you offer healthcare organizations to navigate these challenges effectively?

In Jen's point of view, healthcare organizations should maintain a living inventory of website tools, ensure legal and marketing teams collaborate closely, and prioritize transparency with consumers. Regularly updating knowledge on evolving regulations and obtaining the right consent are also key to navigating HIPAA, FTC regulations, and state privacy laws effectively.

Jennifer’s expertise underscores the importance of having a strong, nuanced understanding of HIPAA, FTC regulations, and state-level laws that affect your marketing. Staying informed and compliant is crucial for healthcare organizations navigating these complex issues. For further guidance or clarification, reach out to the Freshpaint team directly.

Mark Rogers
Director of Content Marketing
view All Posts
Featured Posts
HIPAA COMPLIANCE
Direct Response, Remarketing, and Programmatic Advertising: The HIPAA Pitfalls You Didn't Know
HIPAA COMPLIANCE
IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites
USE CASES
Don't Remove It! Make Google Analytics HIPAA Compliant Instead
HIPAA COMPLIANCE
Staying HIPAA-Compliant: How to Detect Web Tracking Risks on Your Website
HIPAA COMPLIANCE
A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites
HIPAA COMPLIANCE
Cut the Jargon: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org
USE CASES
How To Make Facebook Ads HIPAA Compliant and Still Get Conversion Tracking
USE CASES
What HHS Has to Say About Tracking Technologies in Latest HIPAA Guidance
GROWTH & STARTUPS
Two Chairs Journey to a HIPAA Compliant Growth Stack
Stay Connected
Tweet this post: 
© 2024 Perfalytics, Inc.
Crafted in San Francisco