What the Recent AHA Lawsuit Ruling Means for Healthcare Organizations Moving Forward

On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. HHS is evaluating its next steps in light of that order.

At Freshpaint, it’s our mission to help healthcare organizations adapt to the ever-evolving world of privacy compliance. The latest development came last week when a federal court ruled that guidance prohibiting the use of third-party tracking technologies on hospitals' public-facing websites was unlawful.

We’ve spoken to dozens of healthcare leaders who are curious (rightly so) about how this ruling might impact their marketing strategy. But before we explore what lies ahead, let’s rewind to get some context.

How Did We Get Here

In December 2022, HHS updated its HIPAA guidance, making it clear that tracking technologies on healthcare websites could violate federal privacy rules by sharing sensitive consumer health information with third-party tools.

By default, web trackers collect HIPAA identifiers, such as IP addresses, Ad Click IDs, and even email addresses, as well as health information like page URLs and button text. Those two components combined are considered Protected Health Information or PHI—and the HHS concluded that sharing PHI with a non-HIPAA-compliant tool was a privacy violation.

Fast forward to November 2023: The American Hospital Association (AHA) and others filed a federal lawsuit calling on the courts to bar enforcement of OCR’s policy, taking aim at the “Proscribed Combination.” Translation: They argued that an individual’s IP address combined with a visit to a specific web page isn’t sufficient to constitute PHI.

Proscribed Combination = IP Address + Health Information on a publicly facing website

What Happened In The Judge's Order?

Most recently, on June 20, 2024, US District Judge Mark Pittman sided with AHA, ruling that HHS overstepped in issuing its December 2022 guidance around the Proscribed Combination.

However, he didn’t go any further in his ruling to change any other aspects of the HIPAA guidance. This is a really important distinction because if you’re reading this news thinking that the judge erased the rules around HIPAA on a publicly facing website, that’s not what happened.

This is an important decision but a very narrow one. Let’s explore in detail how healthcare organizations should think about privacy moving forward.

What Happens Next?

Judge Pittman vacated the HHS guidance around the combination of users’ IP addresses and health information. But he denied the request for a permanent injunction and did nothing to address the combination of other HIPAA identifiers with health information captured by tracking technologies.

Accordingly, many law firms are advising covered entities to continue safeguarding patient privacy, regardless of the recent ruling. According to a number of attorneys we’ve spoken to, the growing sentiment is that HHS will almost certainly appeal Judge Pittman’s decision within the next few days and request a stay. A stay if granted would be likely to occur within days.

Several legal experts shared their opinion with us that in a case like this against the federal government, it’s likely that a stay would be granted—especially if it’s viewed by the court that the government didn’t try to intentionally harm the plaintiff (the AHA and healthcare organizations involved in the lawsuit).

If the stay is granted the HIPAA guidance around IP addresses will be fully restored until the appeal process has run its course.

The first step in the appeals process would move the case to the United States Court of Appeals for the Fifth Circuit. Legal experts we spoke to with experience in federal courts cases told us this could be a 9-12 month process before any judgment gets handed down. If a stay is granted, that means the full HIPAA guidance would be in effect during that period.

If the appeal is unsuccessful, HHS could take their case to the Supreme Court. If the Supreme Court decided to hear the case, that could add another 12 months to the appeals process. Once again, if a stay was granted, it’s likely that the full HIPAA guidance would be in effect for the entire two years of the appeals process.

We certainly don’t have a crystal ball to predict how this all will pan out. But it’s important to remember that broad, sweeping changes rarely happen overnight. The broader issue of web trackers will continue to be an issue for covered entities, regardless of what comes next in this process.

Let’s spend a minute discussing the existing risks.

5 Risks to Keep in Mind Moving Forward

Judge Pittman’s ruling was an important but narrow one. The order only addressed IP addresses on publicly facing healthcare websites and didn’t touch any other aspects of the HIPAA guidance. In fact, most of the risks around consumer privacy haven’t changed. Here are five to stay aware of.

HIPAA Is Still A Focus For Healthcare

The ruling vacated OCR’s guidance about collecting a visitor's IP address on a hospital's website. However, the rest of OCR’s tracking tech guidance remains entirely intact. That means HHS can enforce other instances where HIPAA identifiers are combined with health information—for example, an ad click ID combined with a scheduled doctor appointment shared with an ad platform like Facebook. Almost every healthcare marketing team we’ve spoken with leverages advertising tools to reach consumers. This is still a major risk for healthcare.

Accordingly, we believe healthcare organizations should continue replacing native tracking technologies with HIPAA-compliant solutions that ensure sensitive health information isn’t shared downstream.

FTC Enforcement

The FTC (which operated separately from HHS) regulates for-profit businesses as it relates to consumer privacy. The FTC has a history of enforcing privacy in healthcare. Most recently, the FTC fined Cerebral $7M for disclosing their customers’ personal health information to third parties for ads. Further, the FTC banned Cerebral from sharing most data with marketing tools, a catastrophic blow to their customer acquisition strategy.

Even before Cerebral, the FTC took the same action against BetterHelp in March of 2023 with a fine and ban from using major advertising platforms. More than a year later, BetterHelp is still locked out from critical advertising strategies and instead spends more on podcast advertising than Google and Amazon combined. This is a major blow to a provider that relies on digital advertising channels to reach consumers.

State Privacy Laws

Twenty states have passed consumer privacy laws—some of them more strict than the HHS guidance issued in 2022. The California Privacy Protection Agency (CPPA) is leading the charge and has spent the last year preparing to enforce its law.

PHI collected for treatment, payment, or healthcare will qualify for the CCPA HIPAA exemption. However, health information collected for other purposes is not covered by the exemption and will be subject to the CCPA’s stricter data protection laws.

CCPA defines personal information as anything that could identify, relate, describe, or associate with a specific consumer or household. And the way many state laws are written protects consumers in those states even if the healthcare organization isn’t based in that state. So if you provide services to consumers in say California or Washington you could be subjected to those specific state privacy laws.

Class Action Lawsuits

Over the past few years, there’s been a long list of class action lawsuits filed against major healthcare providers. Aurora Health settled for $12.5M in a class action lawsuit for sharing sensitive health information with ad platforms. Cedars-Sinai, Ascension, UPMC, and Rush University are all being sued as well over claims they shared patient data with advertising platforms. Notice the trend about class action lawsuits against healthcare organizations related to sharing data with major ad platforms?

The current ruling in the AHA lawsuit does nothing to shield healthcare companies from these class action lawsuits—and the negative press that comes with them. In fact, these class action lawsuits typically rely on wiretapping laws and the Video Privacy Protection Act—not HIPAA. Some lawyers who specialize in privacy don’t see any change to the risk of class action lawsuits when it comes to the recent IP address change with HIPAA.

Brand Trust

The sentiment amongst consumers is clear: People don’t want to be tracked by ad tech companies, especially when their health information is part of the equation. In fact, online privacy protection is a national trend that’s nearly universal with consumers. For healthcare brands it becomes an important question: do you want to be known as a brand that does the minimum when it comes to privacy standards or do the most for your patients?

The AHA’s lawsuit has given marketers, lawyers, regulators, and consumers plenty to unpack over the past few days. But we’re looking for the signal in the noise—and that signal is that healthcare organizations are still on the hook for safeguarding patient privacy across a growing patchwork of federal, state, and private privacy guidelines.