Introduction
This article aims to provide a succinct summary of the recent news regarding the HIPAA 3rd party tracking lawsuit challenge by the American Hospital Association (AHA) against the US Department of Health and Human Services (HHS).
If you want the full lawyer explanation, there’s an article here from McDermott Will & Emery that summarizes everything nicely. I also like the explanation from Freshpaint on the nuances of the ruling from their perspective (being a healthcare privacy platform after all)
The goal here is to provide easy to read, but accurate, bullet points.
Background
- In December 2022, HHS updated HIPAA guidance, stating that tracking technologies on healthcare websites could violate privacy rules.
- The American Hospital Association (AHA) filed a lawsuit in November 2023 challenging part of this guidance.
Recent Court Ruling (June 20, 2024):
- A Texas judge ruled that HHS overstepped by considering an IP address plus a visit to a public health webpage as automatically protected health information (PHI).
- However, this ruling is narrow and DOES NOT invalidate other parts of the HIPAA guidance.
What This Means:
- Healthcare organizations may have more flexibility with tracking on public web pages.
- But many privacy concerns and regulations still apply.
Key Points to Remember:
- Most of the HIPAA guidance is still in effect, including rules for password-protected pages and healthcare apps.
- HHS is likely to appeal this decision, which could lead to a long legal process including a stay of the current regulations.
- Other privacy concerns remain, including:
- FTC enforcement (separate from HIPAA)
- State privacy laws (some stricter than federal rules)
- Risk of class action lawsuits
- Consumer expectations for privacy
Advice for Healthcare Organizations:
- Don’t make major changes yet – wait for potential appeals or updates.
- Continue to prioritize patient privacy across all platforms.
- Consider using HIPAA-compliant solutions for tracking and marketing.
- Be aware of various privacy laws and regulations beyond just HIPAA.
The Big Picture:
- Privacy in healthcare remains a complex and evolving issue.
- Organizations should aim to protect patient data beyond minimum legal requirements to maintain trust and avoid potential legal issues.