Privacy & Cybersecurity Law Blog

On June 20, 2024, the U.S. District Court for the Northern District of Texas Fort Worth Division ruled that guidance issued by the U.S. Department of Health and Human Services (“HHS”) relating to online tracking technologies exceeded HHS’ authority and ordered that it be vacated. 

As previously reported, on December 1, 2022, HHS released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules when using online tracking technologies. The Bulletin provided several hypotheticals that trigger HIPAA obligations, including when an online technology connects (1) an individual’s IP address with (2) a visit to a unauthenticated public webpage addressing specific health conditions or healthcare providers (the “Proscribed Combination”). The American Hospital Association and other plaintiffs viewed the Proscribed Combination as a new rule and sued to stop enforcement of the rule. Both parties moved for summary judgement and, days before HHS’ brief was due, HHS revised the bulletin, softening its language and stating that it does not have the force and effect of law.

In the case, American Hospital Association v. Becerra, No. 4:23-cv-01110-P, the Court began the quippy decision by stating “Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) in 1996 because health information needed more protections and the world needed more acronyms.” The Court then went on to agree with the plaintiffs, ruling that HHS exceeded its authority because the bulletins improperly created substantive legal obligations for covered entities with respect to the Proscribed Combination.

The Court rejected the plaintiffs’ request for a permanent injunction to enjoin HHS from enforcing the Proscribed Combination. Instead, the Court declared the Proscribed Combination unlawful and ordered that it be vacated.