Judge rules in favor of AHA vacating HHS online tracking ‘bulletin’ as unlawful and beyond agency authority

Jun 20, 2024 - 05:36 PM
Cybersecurity woman IT professional

A United States District Court Judge in Texas today ruled in favor of the AHA, Texas Hospital Association, and hospital plaintiffs, agreeing that Department of Health and Human Services “bulletins” that restrict health care providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing webpages were unlawful final rules and vacating the March 2024 Revised Bulletin.

“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance,” United States District Court Judge Mark Pittman wrote today. “But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power.…  While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements.…  The Court GRANTS the Hospitals’ request for declaratory judgment and DECLARES that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.”

The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November sued the federal government to bar enforcement of an unlawful rule, masquerading as guidance, that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their own website traffic to enhance access to care and public health. In response to the lawsuit, HHS OCR in March issued updated guidance for HIPAA-covered entities and business associates on using online tracking technologies. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in today’s ruling.

AHA General Counsel Chad Golder stated, “For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.’ As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”

Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in this lawsuit.

Related News Articles

Headline
FBI Co-deputy Director Andrew Bailey discusses current cyber and physical threats, rise of AI
FBI Co-deputy Director Andrew Bailey discussed a rise in cyber and physical threats impacting health care. He discussed health care as the top critical…
Headline
AI in health care: Experts discuss the future of AI practices and policies
Jim VandeHei, CEO of Axios; Marc Boom, M.D., AHA board chair and president and CEO of Houston Methodist; Anne Klibanski, M.D., president and CEO of Mass…
Headline
CMS Administrator Oz and Deputy Administrator Brillman discuss agency’s focus on innovation, reducing waste
Centers for Medicare & Medicaid Services Administrator Mehmet Oz, M.D., and CMS Deputy Administrator and Director of Medicaid and CHIP Dan Brillman sat…
Headline
HSCC releases guide on third-party AI risk, supply chain transparency
The Health Sector Coordinating Council’s Cybersecurity Working Group has released a guide on third-party artificial intelligence risk and AI supply…
Headline
CMS accepts more than 150 organizations for participation in ACCESS Model, extends application deadline
The Centers for Medicare & Medicaid Services April 13 announced that more than 150 organizations have been accepted to participate in the launch of its…
Headline
FBI: Health care was top target for ransomware, other cyberthreats in 2025 
Health care and public health was the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. There were…