On June 20, 2024, a federal judge made a landmark decision in a very closely watched case in which the American Hospital Association (AHA) sued the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to vacate the guidance previously issued by HHS.  

The ruling in favor of the AHA, Texas Hospital Association, and additional plaintiffs agrees that the HHS bulletin released in December 2022 and updated in March 2024, which restricted healthcare providers from using web technologies that capture IP addresses on portions of public-facing webpages, was unlawful and vacated the OCR’s bulletin outlined in the released opinion.  

However, it is important to understand what the ruling did and did not vacate. We can expect to see continued activity on this front as the OCR evaluates the decision and any potential next steps it may take. Read on to understand what the decision means for hospitals and healthcare organizations.

The Backstory: OCR’s IP Address & Intent Guidance

As many in the healthcare industry are likely aware, the OCR’s December 2022 bulletin caused many covered entities to take a step back and reevaluate tracking methods and other technologies used on healthcare websites. IP address garnered the most scrutiny under the new guidance, which tied a user’s IP address and a user’s visit to an unauthenticated webpage as protected health information (PHI). Many struggled to decipher what this meant to their technologies as patients and consumers often use necessary tools such as Google Translate, Google Maps or other video providers (none of which will sign a business associate agreement (BAA)) as basic, necessary resources when using a healthcare provider’s website.

OCR later updated the bulletin in March 2024, attempting to clarify some of the grey area. It noted that a user’s intent when visiting a site would dictate whether or not the information collected would constitute as PHI. However, as no one can divine what a user’s intent is, the updated bulletin did not provide any real relief or clarity.

The AHA, joined by other plaintiffs (e.g., the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System) argued that this guidance was unlawful and upended healthcare entities’ ability to share important healthcare information with the communities they serve. The plaintiffs also argued the guidance restricted visibility into their own website traffic, metrics, and efficiencies and thus filed suit in November 2023.

The Fate of the ‘Proscribed Combination’

It is important to note that the ruling is specific to the “proscribed combination” as outlined in the opinion, which states, “Where an online technology connects (1) an individual’s IP address with (2) a visit to a Unpublished Web Page (UPW) addressing specific health conditions or healthcare providers.”

The court ruled that the OCR overstepped its boundaries. “In particular,” the court’s opinion reads, “the Original Bulletin appeared to shoehorn additional information into the [individually identifiable health information (IIHI)] definition. The Original Bulletin provided several hypotheticals that trigger HIPAA obligations … HHS says this new rule (the “Proscribed Combination”) was an example to highlight privacy concerns; covered entities saw it as an entirely new obligation.”

Another important note is that the court did not say that IP was not identifiable to an individual. As OCR continues to include it in the list of identifiers at this time, we should assume that IP will remain an identifier. This means it will be important to continue treating IP address, and any other identifiers with care.

The Upshot for Healthcare Organizations

It again comes down to intent.

While the “proscribed combination” of IP address plus unauthenticated webpage does not constitute PHI, we still need to be mindful of intent and how far someone goes.

The opinion states, “Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).” So that’s the good news.

However, once we do know the reason for someone’s visit — for example, through more defined actions (e.g., making an appointment or filling out a form) — it changes how that data should be treated. When someone visits a website and browses, there’s no way of knowing why they are there. Once someone gives further indication of their intent, or provides personal information, care must be taken to treat the information with appropriate PHI protocols.

What’s Staying the Same?  

The ruling does not apply to or change the previous guidance, the treatment of PHI, or the treatment of authenticated web pages or any other HIPAA identifier. Regulated entities must still ensure that any disclosures of PHI are permitted by the Privacy Rule, and that they enter into a BAA with any tracking technology vendors with whom they share PHI.

What Happens Next?

Granting partial summary judgment to the plaintiffs, the court declared the “proscribed combination” unlawful and ordered its vacatur. This means the guidance related to the “proscribed combination” cannot be enforced and must be removed from the guidance.

It remains to be seen what position HHS will take in response to the declaration, or if it will appeal the decision.

While this decision is a relief of some of the pressure around IP address, the broader topic of website tracking will continue to be important for covered entities. As consumers feel the need to protect their data and privacy in an increasingly digital world of rapidly changing technologies, healthcare entities must find an appropriate balance.

Unlock’s Take: Cautiously Conservative

We recommend continuing to operate with a cautiously conservative approach while this continues to play out. It should not be a carte blanche opportunity to blatantly start sharing or transmitting website data that could potentially be sensitive in nature.

Unlock’s approach is to continue to leverage tracking methodologies that are safe, compliant, and effective while continuing to watch these developments and to use technologies such as Tealium™ to have full control over your data governance strategy.

It is likely we will see a rebuttal, appeal, or some sort of objection from the OCR and, potentially, additional updates in tracking technology regulations. Thus, before changing any marketing or data collection strategy, we advise to review forthcoming updates.

Want to Learn More About Healthcare Privacy & Security?

Talk to one of our compliance experts, who can help you navigate your marketing strategies. Learn how Unlock can help you achieve your marketing goals in a HIPAA-compliant way. Unlock offers a variety of technology solutions and privacy products to give you and your organization peace of mind.  

Check out our partners at McDermott Will & Emery, who can help your team craft the right approach, and read more detail about this ruling.