Enacted around the time the general public started to access the internet, the Health Insurance Portability and Accountability Act is complex, and its reach is often misunderstood by companies.
Over the summer, in American Hospital Association v. Xavier Becerra, a federal court reined in HIPAA's reach by striking down parts of the U.S. Department of Health and Human Services' guidance related to third-party online tracking technologies on publicly available websites used to increase access to health information.
The definition of protected health information under HIPAA has generally included IP addresses and other device identifiers. However, lawmakers crafting HIPAA did not contemplate current technologies and digital platforms or the use of third-party tools to understand the effectiveness of websites.
HHS originally issued guidance on online tracking technologies in 2022, stating information about visitors to a public, unauthenticated website "is indicative that the individual has received or will receive health care services or benefits." Per the guidance, third-party tracking providers were considered business associates, requiring agreements with health care providers, and the definition of personal information was expanded to include an individual's IP address when they visited unauthenticated public websites, meaning websites that do not require logins.
The guidance was met with criticism, including from the American Hospital Association. In a 2023 letter, the association urged HHS to suspend the guidance, arguing it defined PHI too broadly and would impede access to credible health information. Instead of changing its position, HHS and the U.S. Federal Trade Commission sent warning letters to more than 100 hospitals.
The guidance was later softened in March 2024, likely in response to a threatened suit by the AHA and other organizations. Under the revised guidance, whether such interactions were PHI depended on the website visitor's subjective intent when visiting the website. However, the new guidance created additional confusion for covered entities because there was no practical way to discern the purpose or intent of a visit to most websites.
In the AHA case, the U.S. Federal Court in the Northern District of Texas struck down the guidance, ruling metadata, including IP addresses, was not PHI, and the guidance was "in clear excess of HHS's authority under HIPAA." The court noted individuals may go to websites for reasons other than the provision of health care, and the IP address alone "does not and cannot identify an individual or the individual's PHI without an unknowable subjective-intent element."
Interestingly, the decision came before the Supreme Court decision in Loper Bright Enterprises v. Raimondo, which overturned a 40-year-old precedent known as "Chevron deference" that gave regulatory agencies broad discretion to interpret ambiguous statutes. Many experts predict outcomes similar to the AHA case, as companies push back on regulatory interpretations by agencies like HHS.
The AHA decision did not vacate the HHS guidance entirely, implying a characterization in the guidance that PHI includes an IP address in combination with activity on an authenticatedwebpage, where someone is logged in or verified, remains.
Nevertheless, covered entities and health-care-adjacent businesses, which may not be subject to HIPAA but may be required to comply with the growing number of consumer health privacy laws, such as Washington state's My Health My Data Act, will likely continue to test the boundaries of regulatory authority. The MHMDA's broad definition of consumer health data is similar to the HHS guidance, but there may be similar pushback when personal information does not involve the specific health of an individual.
Track guidance, review current compliance and contracts
Since the 2022 HHS guidance was released, there has been an influx of class-action lawsuits brought against health care providers as well as additional scrutiny from regulators, including HHS and the FTC for website cookie and pixel use.
While the AHA and Loper Bright decisions do not immediately end such lawsutis or even change HIPAA's rules, they may make actions less attractive. In the interim period, HIPAA and the general legal landscape regarding health data remain unclear.
Companies processing health information should continue to:
- Closely monitor use of tracking technologies, particularly on authenticated sites, and how HHS updates its guidance considering the decision.
- Assess current health privacy compliance programs and notices to ensure they reflect current operations and determine whether additional disclosures may be needed.
- Conduct diligence on technology partners and evaluate the need for agreements with such partners, depending on what access they may have to health information.
Helena Engfeldt, CIPP/E, CIPP/US, and Rachel Ehlers are partners at Baker McKenzie.