A United States District Court Judge in Texas today ruled in favor of the AHA, Texas Hospital Association, and hospital plaintiffs, agreeing that Department of Health and Human Services “bulletins” that restrict health care providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing webpages were unlawful final rules and vacating the March 2024 Revised Bulletin.

“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance,” United States District Court Judge Mark Pittman wrote today. “But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power.…  While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements.…  The Court GRANTS the Hospitals’ request for declaratory judgment and DECLARES that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS’s authority under HIPAA.”

The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November sued the federal government to bar enforcement of an unlawful rule, masquerading as guidance, that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their own website traffic to enhance access to care and public health. In response to the lawsuit, HHS OCR in March issued updated guidance for HIPAA-covered entities and business associates on using online tracking technologies. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in today’s ruling.

AHA General Counsel Chad Golder stated, “For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.’ As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”

Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in this lawsuit.

Related News Articles

Headline
The FBI, along with the National Security Agency, Cyber National Mission Force and United Kingdom’s National Cyber Security Centre, today released a joint…
Headline
The Department of Justice last week announced a new strategic approach to combating cybercrime which involves "using all tools” to disrupt cybercriminals and…
AHA Cyber Intel
With 386 health care cyber-attacks reported thus far in 2024, data-theft crimes and ransomware attacks against health care and our mission-critical third-party…
Perspective
When hospitals are attacked, lives are threatened. This is the reality our entire field faces every day. But the never-ending barrage of ransomware and…
Headline
The Department of Health and Human Services Sept. 30 released a statement on the dockworker strike at ports along the East and Gulf coasts, saying that…
Headline
The Department of Health and Human Services’ Office of Inspector General Sept. 24 recommended that additional oversight is needed to ensure that remote patient…