New HHS Rule Upsets the Balance That HIPAA Strikes Between Privacy and Information-Sharing
WASHINGTON (November 2, 2023) — The American Hospital Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, today sued the federal government to bar enforcement of an unlawful, harmful, and counterproductive rule that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.
“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. We cannot understand why HHS created this ‘rule for thee but not for me,’” said Rick Pollack, AHA President and CEO.
Today’s lawsuit challenges a “Bulletin” issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) entitled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” This December 2022 “Bulletin” restricts hospitals from using standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages that address health conditions or health care providers. For example, under HHS’ new rule, if someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties.“Simply put, OCR’s new rule harms the very people it purports to protect,” Pollack said. “The federal government’s repeated threats to enforce this unlawful rule tie hospitals’ hands as trusted messengers of reliable health care information.”
Hospitals and health systems have long honored the core objectives of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), America’s primary health care privacy law. Congress enacted this law to strike a balance between protecting patients’ health information and ensuring the flow of information needed to provide communities with high quality care. The Bulletin, which HHS issued without consulting health care providers, third-party technology vendors, or the public at large, upsets HIPAA’s careful balance, preventing hospitals from using commonplace web technologies to analyze use of their websites and communicate effectively with the populations they serve.
As alleged in the Complaint, HHS’ Medicare.gov, the Department of Defense Military Health System and Defense Health Agency, and various U.S. Veterans Health Administration sites continue to use these third-party technologies despite being covered entities under HIPAA. For example, forensic tools revealed that the Veterans Health Administration uses analytics and advertising tools on a wide range of sites, including online resources that describe the symptoms of post-traumatic stress disorder and point veterans to available treatment options. While dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.
Web tools that are ineffective without access to IP-address information include:
Analytics software that converts interactions with hospital web pages into critical data, such as the level and concentration of community concern on particular medical questions or the areas of a hospital website on which people have trouble navigating.
Video technologies that allow hospitals to offer a wide range of information and education materials to the public, including visuals that educate the community about particular health conditions and that allow visitors to virtually tour the facilities where particular procedures are performed.
Translation and accessibility services that help persons with limited English proficiency and people with disabilities access vital health care information on hospitals’ webpages.
Digital maps that provide information about where health care services are available, including embedded applications that provide public transportation schedules or driving directions to and from a community member’s location.
The suit alleges that HHS’s new rule exceeds its statutory authority under HIPAA. That statute allows hospitals to rely on third-party tools that capture IP address information because that information cannot reasonably be used to identify the individual whose health care relates to the webpage visit. By reaching beyond the law to restrict use of these common tools on public-facing webpages, OCR exceeded its statutory authority. In addition to exceeding its statutory authority under HIPAA, the suit alleges that OCR unlawfully issued this Bulletin without providing any reasoning supporting its novel legal assertions, without acknowledging the government’s own use of implicated third-party technologies, and without following required notice-and-comment rulemaking processes. Prior to issuing this rule, the federal government did not consult with hospitals and health systems about their use of third-party technologies that depend on the collection of IP addresses or the impact that its new rule would have on patients or communities. Instead, the agency began aggressively threatening regulatory enforcement and serious civil penalties against hospitals and health systems. After attempts to engage with HHS officials to educate them about the impact of their new rule, the AHA determined it was necessary to file suit on behalf of its members to prevent the agency from unlawfully penalizing hospitals.
For additional information about the lawsuit, a copy of the complaint can be found at on AHA’s webpage.
About the American Hospital Association
The American Hospital Association (AHA) is a not-for-profit association of health care provider organizations and individuals that are committed to the health improvement of their communities. The AHA advocates on behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, our clinician partners – including more than 270,000 affiliated physicians, 2 million nurses and other caregivers – and the 43,000 health care leaders who belong to our professional membership groups. Founded in 1898, the AHA provides insight and education for health care leaders and is a source of information on health care issues and trends.
About the Texas Hospital Association
Founded in 1930, the Texas Hospital Association (THA) is the leadership organization and principal advocate for the state’s hospitals and health care systems. Based in Austin, THA enhances its members’ abilities to improve accessibility, quality and cost-effectiveness of health care for all Texans. One of the largest hospital associations in the country, THA represents 452 of the state’s non-federal general and specialty hospitals and health care systems, which employ some 400,000 health care professionals statewide.
About Texas Health Resources
Texas Health Resources is a faith-based, nonprofit health system that cares for more patients in North Texas than any other provider. With a service area that consists of 16 counties and more than 7 million people, the system is committed to providing quality, coordinated care through its Texas Health Physicians Group and 29 hospital locations under the banners of Texas Health Presbyterian, Texas Health Arlington Memorial, Texas Health Harris Methodist and Texas Health Huguley. Texas Health access points and services, ranging from acute-care hospitals and trauma centers to outpatient facilities and home health and preventive services, provide the full continuum of care for all stages of life. The system has more than 4,100 licensed hospital beds, 6,400 physicians with active staff privileges and more than 29,000 employees.
About United Regional Health Care System
United Regional Health Care System is located in Wichita Falls, Texas, and provides comprehensive medical care including inpatient and outpatient services, advanced diagnostics, surgical specialties, and life-saving emergency care to a nine-county service area. We have the area’s only Level II Trauma Center and serve as the Primary Stroke Center for the region. United Regional’s passion is to provide excellence in health care for the communities we serve. To accomplish this passion, the System continues to reinvest in advanced technology, modern facilities, and the recruitment and retention of highly skilled employees and physicians to ensure that the current and future medical needs of the area are met.