Disclaimer: The information provided here is not intended to be, and does not constitute legal advice. This is merely our point of view on the recent court ruling. Customers should seek their own legal advice in connection with the topics discussed in this FAQ.

This blog post has been created as a guide so that you can understand the potential impact of the recent ruling involving the AHA lawsuit that challenged OCR’s interpretation of PHI in its 2022 bulletin regarding the use of online tracking technologies.

Background

In December 2022, the Office for Civil Rights (the “OCR”) at the US Department of Health and Human Services (“HHS”)  issued a bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (the “Bulletin”) stating that data collected about how users interact with a covered entity’s (such as a hospital) websites or mobile applications using tracking technologies is PHI. 

Specifically, HHS stated that data about a visitor collected on a regulated entity’s website or mobile application generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the data, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. As such, any covered entity sharing this type of data with a downstream vendor would be required to treat the vendor as a business associate. On March 18, 2024, the OCR revised its guidance without fundamentally changing its above-stated interpretation of PHI. 

The OCR’s perspective was that PHI always encompassed the above-mentioned types of data. In comparison, many healthcare organizations expressed that this was a new interpretation of HIPAA that imposed additional obligations on covered entities.

In late 2023, the American Hospital Association (AHA) filed a lawsuit challenging the broad interpretation of this definition of PHI laid out in the Bulletin.

On June 20th, 2024, the US District Court for the Northern District of Texas found that HHS exceeded its authority in certain parts of the Bulletin regarding unauthenticated visitors to a covered entity’s digital property (website, mobile application, etc.). 

This blog post has been created as a guide so that you can understand the potential impact of this ruling.

What Does This Ruling Mean to Healthcare Organizations?

The court found that the OCR exceeded the scope of its authority in key parts of the Bulletin, vacating those portions that contained the OCR’s broader interpretation of PHI.

Accordingly, a user’s IP address and data associated with that user’s activity on a covered entity’s unauthenticated website or mobile application is not PHI, if the data is not known to be related to the user’s past, present, or future physical or mental health or condition, or payment for healthcare . 

It is important to note that the ruling does not address the rest of OCR’s guidance, in the Bulletin or elsewhere. Nor does the ruling address web pages or mobile applications where the user is authenticated; it only addresses unauthenticated visitors.

In Which Scenarios Is Information Collected From An Unauthenticated Digital Property Considered PHI?

The ruling is limited to the collection of IP addresses, and does not specifically mention  other forms of PII that are more identifiable than IP addresses, such as email addresses and phone numbers.

In addition, the ruling only addresses data collected in connection with visitors’ activity on a covered entity’s unauthenticated websites or mobile apps if the activity is not related to the user’s past, present, or future physical or mental health or condition, or payment for healthcare.

This means the ruling may not extend to scenarios where an unauthenticated visitor indicates, within the website or mobile app, that the visit is related to their own healthcare.

Examples of this include:

1. The visitor specifies a reason for seeking healthcare for themselves
2. The visitor specifies their email address, phone number, home address, etc.

What About Authenticated Websites Or Mobile Apps?

The ruling only addresses unauthenticated websites and mobile apps. The remainder of the Bulletin, including tracking on authenticated websites or mobile apps  and patient portals was not addressed.

This means data (including IP address) collected by tracking technologies on covered entities’ authenticated websites or mobile apps may constitute PHI, and may therefore be subject to HIPAA regulations.

Is This Ruling Final?

This ruling may be appealed by HHS. 

Key Takeaways

• The recent court ruling says that an IP address and data associated with the user’s visit to an unauthenticated website or mobile app that discusses specific medical conditions, symptoms, etc. is not PHI, if the visit is not related to the user’s past, present, or future physical or mental health or condition or payment for healthcare.
• If the visitor indicates that they are seeking healthcare or provides PII that is more specific than an IP address, then the data collected may be considered PHI and may need to be handled in a manner that complies with HIPAA.
• The ruling doesn’t address authenticated websites or mobile apps. These may be subject to HIPAA regulations.
• Tealium still maintains that having a flexible data framework (such as the one Tealium for Healthcare provides) gives Covered Entities end-to-end control of patient data and gives them the ability to be nimble in the face of ever-changing laws and regulations.