Insights & Resources

September 3, 2024 | Alerts

HHS Withdraws Its Appeal of Tracking Technologies Decision

HHS Withdraws Its Appeal of Tracking Technologies Decision

On August 29, 2024, the Federal Department of Health and Human Services (“HHS”) withdrew its appeal of a federal court decision that invalidated certain aspects of HHS guidance regarding the use of tracking technologies (e.g., pixels that collect data on website usage to create directed marketing campaigns).

Tracking technologies have been the focus of much debate among the health care provider community and HHS. Providers find tracking technologies to be important marketing tools, while HHS published guidance warning that tracking technologies often violate the confidentiality of patient information and should be avoided (the “Guidance”).  In particular, providers argue that tracking access to unauthenticated pages (e.g., website pages where users do not need to “sign in” to access information) does not pose a threat to patient information.

This debate boiled over into court when the American Hospital Association and others (the “Plaintiffs”) filed a lawsuit against HHS in a Texas Federal District Court (the “Court”).  On June 20, 2024, the Court issued its ruling in favor of the Plaintiffs. Specifically, the Court vacated the Guidance to the extent it applied HIPAA to “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n unauthenticated public webpage] addressing specific health conditions or healthcare providers.”  HHS initially appealed the decision but on August 29, 2024, moved to voluntarily dismiss its own appeal.  Absent any pending appeal, the initial Court decision is expected to stand.

What Does This Mean?

  • The Court’s decision invalidated only one portion of the Guidance, but left the rest of the Guidance intact.  This means that the Guidance remains in effect, other than those aspects specifically addressing the collection of IP addresses on unauthenticated pages.
  • Tracking technologies are likely permitted on unauthenticated pages which do not collect information in a manner that identifies which users are patients (e.g., it is probably permissible to enable tracking on a web page that generally describes the services provided by a health system and may be used by the general public).
  • Use of tracking technologies still needs to be evaluated in light of the remaining aspects of the Guidance.  For example, even on unauthenticated pages, there may be situations in which patient status or identifiable information beyond IP addresses may be collected by trackers (e.g., unauthenticated appointment scheduling or bill payment pages), and therefore, HIPAA compliance will need to be considered.
  • It is likely that use of tracking technologies on authenticated pages is still problematic unless there are appropriate authorizations or business associate agreements in place.

Should you have any questions regarding the above, please contact the authors, the Garfunkel Wild attorney with whom you regularly work, or contact us at [email protected].