AHA Sues DHHS Over Tracking Guidance
As we have noted in a previous Garfunkel Wild alert, the Department of Health and Human Services (“DHHS”) Office of Civil Rights (‘OCR”) published guidance regarding the use of tracking technologies (i.e., technologies that collect and analyze information about how users interact with websites and mobile applications). The guidance specifically states that authenticated (i.e., pages requiring a log-in) and unauthenticated website pages containing tracking technologies could violate HIPAA and result in a Breach of Unsecured PHI. In July 2023, OCR and the Federal Trade Commission (“FTC”) jointly notified 130 providers that they may be deploying online tracking technologies in violation of HIPAA.
In response, on November 3, 2023, the American Hospital Association, along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (the “Plaintiffs”), filed a lawsuit against DHHS and the OCR. The Plaintiffs claim that OCR’s guidance inappropriately expands the definition of PHI to include data, such as internet protocol addresses, collected from unauthenticated public-facing provider webpages, even when the user has no existing relationship with the provider. The Plaintiffs are requesting that the Court intervene to prevent the OCR’s interpretation regarding tracking technologies on unauthenticated websites from being enforced.
Information Blocking Enforcement.
In November, the DHHS released a proposed rule that would establish three specific “disincentives” for healthcare providers that knowingly and unreasonably interfere with the access, exchange, or use of electronic health information in violation of the Information Blocking Rule. The disincentives, which will be coordinated through the CMS, are as follows:
- Pursuant to Meaningful Use, violations by an eligible hospital could result in the loss of 75 percent of the annual market basket increase (a methodology used to increase payments to adjust for, among other things, inflation);
- Under MIPS, an eligible clinician or group that violates the Information Blocking Rule would receive a zero score in the “Promoting Interoperability” performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
- Under the Medicare Shared Savings Program, a healthcare provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.
The proposed regulations can be found here: https://www.federalregister.gov/documents/2023/11/01/2023-24068/21st-century-cures-act-establishment-of-disincentives-for-health-care-providers-that-have-committed. Public comments on the proposed rule will be accepted through January 2, 2024.
Should you have any questions regarding the above, please contact the author, the Garfunkel Wild attorney with whom you regularly work, or contact us at [email protected].