Texas Judge Rules HHS’ Web Tracking Guidance Is Unlawful

A Texas judge has ruled in Am. Hosp. Ass’n v. Becerra that the Department of Health and Human Services (HHS) does not have the authority to restrict medical providers’ use of tracking technologies, aka “cookies” or “pixels.” The issue in the case was whether information gathered through the use of cookies, such as the IP address of a person’s device and their search activity on the medical provider’s website, qualifies as individually identifiable health information. The court concluded that it does not.

Background & Proscribed Combination

In 2022, HHS published a Bulletin stating the information gathered by tracking technologies like Google Analytics and the Meta Pixel on healthcare providers’ websites constituted the health information of the person browsing the website. The disclosure of that information to Google and Meta was an unauthorized disclosure of health information in violation of HIPAA. The HHS Bulletin was challenged by the American Hospital Association (AHA).

The Court ruled that HHS exceeded their authority by stating a person’s IP address combined with a visit to a medical provider’s website addressing health conditions or healthcare providers constituted individually identifiable health information. HHS claimed that if cookies link an individual’s IP address to their health-related search activity, it constitutes health information about that individual protected by HIPAA. For example, if Person A searches a medical provider’s website for information about Condition B, it might indicate Person A has Condition B. This combination of a person’s IP address and their search activity was called the “Proscribed Combination.”

Ruling on HHS Revisions

In response to the lawsuit by the AHA, HHS had revised their Bulletin and stated that when a tracking technology connects an individual’s IP address with a visit to a website, it is individually identifiable health information if the individual visited the website with the intent to address the individual’s own specific health concerns. The Court found the additional intent element did not save the HHS guidance.

The Court stated that when an individual visits a health provider’s website, it is impossible for the health provider to know if the individual is searching for information about their own health condition, or the health condition of a family member, friend, or any other third person. The individual may also just be searching for general information not related to their own health condition.

The Court pointed out that the medical provider cannot possibly know the intent of an individual that browses their website. Without knowing a visitor’s intent, the information gathered could not reasonably identify the individual’s health information and medical providers. The individual’s subjective intent was insufficient to make the Proscribed Combination individually identifiable health information. Since the Proscribed Combination cannot indicate if someone is researching health information for themselves or someone else, it was unlawful for HHS to classify this as a person’s health information.

The Court used language that was very critical of HHS’ actions. The Court stated that HHS had engaged in sleight of hand, that it sought to backtrack after having been caught with its hand in the cookie jar, and that the case is about our nation’s limits on executive power.

Implications for Medical Providers

The reach of this case can go far beyond the striking down of HHS’ creation of the Proscribed Combination as a new type of individually identifiable health information.

Throughout the country, plaintiffs’ attorneys have filed class action lawsuits against hospitals claiming the hospitals are unlawfully disclosing individually identifiable health information to companies like Google and Meta by using their cookies or pixels. The Texas ruling will now be used by hospitals to show that the use of tracking technologies like Google Analytics or the Meta Pixel is not an unlawful disclosure of health information and does not violate HIPAA.

If you are a medical provider and have any questions about the proper use of tracking technologies on your website, please contact the Hall Booth Smith Data Privacy & Cybersecurity team.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.