If you are in the healthcare industry, you are likely well aware of the heightened scrutiny surrounding HIPAA compliance and the obligations organizations must fulfill when implementing online tracking technologies. Since the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services posted the dreaded bulletin in December 2022, many healthcare organizations have struggled to understand the ambiguity of the points throughout the bulletin and how they should operate in a way that mitigates risk to their organization.
If you are newer to this topic, I suggest you check out a previous post that discusses enforcement guidance, key definitions, and impact on analytics platforms. If you are already familiar, keep reading on as we have summarized recent updates in the court system that may (dare I say) show some promise to marketers in healthcare.
Wrapping Up 2023: Hospital Associations Pushing Against HHS Guidelines
At the end of 2023, the American Hospital Association (AHA), the Texas Hospital Association, and two health systems filed a lawsuit in the U.S. District Court for the Northern District of Texas.
Supported by numerous provider and state hospital associations, the lawsuit contended that the HHS Bulletin enforced new rules without giving healthcare organizations adequate notice and argued that the bulletin improperly expanded the definition of “individually identifiable health information” under HIPAA, exceeding the HHS’s authority. Additionally, they claimed that prohibiting the use of trackers hindered healthcare organizations’ ability to provide quality care and effectively reach patients.
Recent Federal Court Ruling: June 2024
On June 20, the Federal Court ruled that the HHS Guidance, published in December 2022, which prohibited healthcare organizations from using third-party online tracking technologies on their public websites, was unlawful.
This decision was handed down by U.S. District Judge Mark T. Pittman, who issued an order that echoed the sentiments of many healthcare organizations nationwide. They argued that HHS had overstepped its legal authority with this guidance. This order highlighted that the tracking of metadata was an excessive interpretation of “individually identifiable health information” and asked to void the previous guidance provided by the HHS.
Okay, cool. Thanks for the legal jargon … but what does this mean for me as a healthcare marketer?
In short, the above seems to be allowing for more leniency for orgs that are leveraging tools like Google Analytics for measurement. For example, previously, a healthcare organization would be in violation of the HHS Guidance in circumstances where their online technology could connect an individual’s IP address (which generally happens at some level when a pixel is on a website) with a visit to an unauthenticated webpage. The court vacated this guidance and the HHS is evaluating next steps in light of this order.
At this time, the restrictions on tracking general browsing of a provider’s public-facing web page on non-authenticated pages do not meet the definition of individually identifiable health information (IIHI) under HIPAA when certain conditions are met.
Marketers should always be mindful whenever multiple identifiers are in place that could potentially connect an individual with health information as the compliance risks increase. Some examples include tracking on authenticated pages (highly sensitive), but also expand to what may be collected on other pages that could prove sensitive, such as appointment scheduling, find a doctor flows for a certain condition, and product pages for a specific ailment.
What’s Next?
At InfoTrust, we work with numerous clients in the healthcare industry who are affected by the recent HHS Guidance. Navigating the past year has been challenging due to the complexities of the original HHS Bulletin and its impact on deploying tracking technology on healthcare websites.
However, there is good news. We have developed solutions for tracking that are already in place for several clients who initially removed all technology from their sites due to concerns about the legislation. More positive developments may be on the horizon as we observe the ongoing efforts by hospital associations across the country, with many of them (at least ⅓) currently using pixels on their websites.
For more information on how HIPAA legislation impacts your analytics platforms, and general best practices for risk mitigation, feel free to check out my previous post or contact us today!
