A United States District Court Judge in Texas today ruled in favor of the AHA, Texas Hospital Association, and hospital plaintiffs, agreeing that Department of Health and Human Services “bulletins” that restrict health care providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing webpages were unlawful final rules and vacating the March 2024 Revised Bulletin.

“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance,” United States District Court Judge Mark Pittman wrote today. “But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power.…  While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements.…  The Court GRANTS the Hospitals’ request for declaratory judgment and DECLARES that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.”

The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November sued the federal government to bar enforcement of an unlawful rule, masquerading as guidance, that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their own website traffic to enhance access to care and public health. In response to the lawsuit, HHS OCR in March issued updated guidance for HIPAA-covered entities and business associates on using online tracking technologies. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in today’s ruling.

AHA General Counsel Chad Golder stated, “For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.’ As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”

Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in this lawsuit.

Related News Articles

Headline
A non-malicious global technology outage that began in the early morning of July 19 is continuing to affect many industries and is having varying effects on…
Headline
John Riggi, AHA’s national advisor for cybersecurity and risk, participated July 18 as the opening keynote speaker in the Information Security Media Group’s…
Headline
The Department of Health and Human Services July 10 released a proposed rule designed to improve health information sharing and interoperability. The Health…
Headline
A joint advisory issued the week of July 8 by the Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI and several international…
Headline
The AHA July 2 submitted comments to the Cybersecurity and Infrastructure Security Agency on its proposed rule establishing reporting requirements for…
Headline
The Department of Health and Human Services Health Sector Cybersecurity Coordination Center June 27 issued an alert about a critical vulnerability in MOVEit, a…