A United States District Court Judge in Texas today ruled in favor of the AHA, Texas Hospital Association, and hospital plaintiffs, agreeing that Department of Health and Human Services “bulletins” that restrict health care providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing webpages were unlawful final rules and vacating the March 2024 Revised Bulletin.

“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance,” United States District Court Judge Mark Pittman wrote today. “But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power.…  While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements.…  The Court GRANTS the Hospitals’ request for declaratory judgment and DECLARES that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.”

The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November sued the federal government to bar enforcement of an unlawful rule, masquerading as guidance, that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their own website traffic to enhance access to care and public health. In response to the lawsuit, HHS OCR in March issued updated guidance for HIPAA-covered entities and business associates on using online tracking technologies. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in today’s ruling.

AHA General Counsel Chad Golder stated, “For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.’ As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”

Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in this lawsuit.

Related News Articles

Headline
The Department of Health and Human Services July 10 released a proposed rule designed to improve health information sharing and interoperability. The Health…
Headline
The Department of Health and Human Services June 24 released a final rule that would disincentivize health care providers for interfering with the access,…
Headline
The AHA June 14 sent a letter to the Senate Finance Committee, responding to questions included in a white paper the committee wrote on chronic care through…
Headline
The Centers for Disease Control and Prevention June 13 issued a Health Alert Network Health Advisory following a federal health care fraud indictment against…
Headline
The House Energy and Commerce Committee June 12 passed AHA-supported legislation during a markup of bills that passed the Health Subcommittee in May. The…
Headline
The House Energy and Commerce Subcommittee on Health May 16 passed a number of bills during a markup session, including AHA-supported legislation. The…