On June 20, the U.S. District Court for the Northern District of Texas held that the US Department of Health and Human Services exceeded its authority by issuing a guidance bulletin that warned HIPAA regulated entries that tracking visitors to web pages with content about health conditions or health care providers is governed by the HIPAA privacy rule.
The HHS concern is focused on the disclosure of “protected health information” or “PHI” to tracking vendors given such disclosures are subject to particular legal requirements. Similar to the law in Ontario, PHI is only information about an identifiable individual that “relates to” the provision of health care.
The HSS bulletin distinguishes the following two scenarios to explain when the HIPAA privacy rule does and does not apply:
- For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
- However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.
The Court held that the required connection between the information and the provision of health care can not be based on the subjective intent of visitors if the website does not collect any information about subject intent. Without such a collection, the Court held, there is only a “speculative inference” about the visitor’s health and interest in or need for health care, too weak of a connection to meet the “relates to” criterion.
American Hospital Association v Becerra, 2024 WL 3075865.