American Hospital Association v. Becerra: Are Tracking Tools OK Again? Federal Court Dials Back Office for Civil Rights Bulletin
Healthcare and privacy attorneys Paul Bond, Shannon Hartsfield and Beth Pitman co-authored an article for the Employee Benefit Plan Review analyzing a federal court decision regarding the use of online tracking tools on healthcare providers' unauthenticated webpages. The case, American Hospital Association v. Becerra, arose from a 2022 U.S. Department of Health and Humans Services (HHS) Office of Civil Rights (OCR) bulletin stating that these tools, which often involve cookies or pixels, implicated HIPAA because individually identifiable health information (IHII) collected on these websites generally constituted protected health information (PHI), even if the website visitor was not a patient. The ruling issued in June 2024 from the U.S. District Court for the Northern District of Texas, Fort Worth Division, declared part of the OCR bulletin unlawful, finding it required "covered entities to perform the impossible" by discerning the motives of webpage visitors to achieve compliance with HIPAA. The authors deem this decision a victory for hospitals, contending that though it does not immediately end the swath of class action lawsuits facing providers, it should make future litigation less attractive to plaintiffs. Their article summarizes the case background, court's reasoning and best practices for providers moving forward.
The attorneys also published a Holland & Knight alert on this topic.