- Hospitals not entirely off hook with HHS guidance blocked
- Health agency could appeal or release new guidance
US hospitals should proceed with caution in resuming the use of popular technology that collects user information while the Biden administration weighs a response to a court order greenlighting the practice.
The US Department of Health and Human Services had issued guidance requiring health providers to take extra steps to protect data that third parties could use to identify website users who look up online information about their conditions. Google Analytics, YouTube, and other technologies commonly used by hospitals were among those the HHS had tried limiting through the guidance widely opposed by healthcare providers, according to a person familiar with the industry response.
A federal judge in Texas on Thursday backed the industry, blocking the HHS effort by vacating the guidance and putting the ball back in the agencyâs court for how to respond.
Thursdayâs order âgives hospitals some reprieve from what has clearly always been an over broad guidance,â said Kirk Nahra, co-chair of WilmerHaleâs Big Data Practice and Cybersecurity and Privacy Practice. He said that the HHS could have used its guidance to show hospitals âhow best to approach a very common practice – instead it is using this guidance as a basis for enforcement proceedings.â
The HHS âcreated mass confusion and led hospitals and others to make changes that make it harder for patients to get information and use hospital web sites.â
The decision likely isnât the last action on the guidance. HHS can appeal the ruling to the US Court of Appeals for the Fifth Circuit or release new guidance that fits within the scope of the judgeâs ruling. Another option is proposing a formal regulation, though such a move may prove difficult to implement with the US presidential election only months away.
âThe storyâs not over yet,â said Leon Rodriguez, who led the Obama administration HHSâ Office for Civil Rights. âI have to think that HHS is not going to just sort of say uncle here and leave the issue.â
Controversial Guidance
Authored by Judge Mark T. Pittman of the US District Court for the Northern District of Texas, the decision found that HHS lacked authority to issue its guidance.
That guidance laid out how health providers were to use online tracking technologies without running afoul of the 1996 Health Insurance Portability and Accountability Act, or HIPAA, a move that was targeted by hospital and health groups with litigation.
The case wasnât âreally about HIPAA,â but rather âour nationâs limits on executive power,â wrote Pittman, who was appointed by former President Donald Trump and has been identified as part of an effort for conservatives to âjudge shopâ for challenges to Biden administration policies.
HHS spokespeople didnât immediately respond to a request for comment on the order.
However the HHS ultimately responds to the ruling, it could face resistance.
âThere is this trend in the courts to really dial back agenciesâ ability, not only to get guidance, but even to regulate,â said Rodriguez, pointing to the Supreme Courtâs Loper Bright Enterprises v. Raimondo. A decision in that case is expected by the end of the month and could limit HHS and other agencyâs ability to defend their policies in court.
Some attorneys said that the decision accurately highlights flaws in the HHS guidance.
The guidance was âvery difficult to interpretâ and âunclear and contradictory,â said Linn Freedman, chair of Robinson + Coleâs Data Privacy + Cybersecurity practice. The decision, she said, was validating for hospitals that were struggling with it.
âPeople surf websites for all sorts of reasons, none of which necessarily has to do with their own health. It is impossible for health care entities to know why someone is looking at their website,â Freedman said.
The HHSâs first stab at guidance was through a 2022 bulletin. In 2023, the American Hospital Association and others sued the HHS over the guidance. In March of this year, the agency updated the guidance to assuage the plaintiffsâ concerns, though it wasnât enough to drop the case.
Prior to suing the HHS, the AHA had spent time meeting with the agency to work out a compromise, a person familiar with the meetings said. The negotiations with HHSâs Office of Civil Rights were ultimately unsuccessful, the person said.
Hospital Response
Even though the HHS can no longer enforce its guidance following Thursdayâs order, âadvice across the industryâ has likely remained to proceed with caution, according to Brad M. Rostolsky, member of the Health Care & FDA Practice in Greenberg Traurigâs Philadelphia office.
Likely, the decision âlets folks reset back to pre-original guidance times for the moment, with the caveat that we know that the Office for Civil Rights is really focused on tracking technology vendors,â Rostolsky said.
And while hospitals can at the moment rely on âcertain basic understandings about HIPAA,â Rostolsky said the HHS guidance remains important as it shows âwhere the focus is with the regulators.â
âItâs a good reminder to make sure that your house is in order. Look at your vendors, look at the information your vendors are touching, make sure that youâve got the right agreements with those vendors,â Rostolsky said.
Yet AHA general counsel Chad Golder said the technologies were âextremely valuable technologies for hospitals.â
The technologies allowed hospitals âto provide accurate, reliable healthcare information to communities, whether it was through YouTube videos, translation services, map technologies, ways to surge resources into neighborhoods and communities where they saw a lot of online traffic, looking for certain things like vaccines,â Golder said.
And under the guidance, they had to switch to âless effective, more expensive tools,â Golder said. âHospitals are strapped financially, so every dollar that they spend on these things is a dollar they canât spend on patient care.â
Still, âitâs important for hospitals to not necessarily think that they can do anything that they were doing in the past when it came to tracking technology,â said Jason Johnson, partner in Crowellâs Health Care and Privacy & Cybersecurity Groups
âI donât think from an agency perspective this would do anything to dissuade HHS from continuing to issue guidance or even new rules,â Johnson said.
âI think HHS is likely to find another mechanism,â Johnson said. âThis isnât necessarily sort of a get out of jailâ for hospitals.
Hospitals Get Reprieve on Tech From Court as HHS Weighs Privacy
bgov.com
June 24, 2024 10:18 am
US hospitals should proceed with caution in resuming the use of popular technology that collects user information while the Biden administration weighs a response to a court order greenlighting the practice.
The US Department of Health and Human Services had issued guidance requiring health providers to take extra steps to protect data that third parties could use to identify website users who look up online information about their conditions. Google Analytics, YouTube, and other technologies commonly used by hospitals were among those the HHS had tried limiting through the guidance widely opposed by healthcare providers, according to a person familiar with the industry response.
A federal judge in Texas on Thursday backed the industry, blocking the HHS effort by vacating the guidance and putting the ball back in the agencyâs court for how to respond.
Thursdayâs order âgives hospitals some reprieve from what has clearly always been an over broad guidance,â said Kirk Nahra, co-chair of WilmerHaleâs Big Data Practice and Cybersecurity and Privacy Practice. He said that the HHS could have used its guidance to show hospitals âhow best to approach a very common practice – instead it is using this guidance as a basis for enforcement proceedings.â
The HHS âcreated mass confusion and led hospitals and others to make changes that make it harder for patients to get information and use hospital web sites.â
The decision likely isnât the last action on the guidance. HHS can appeal the ruling to the US Court of Appeals for the Fifth Circuit or release new guidance that fits within the scope of the judgeâs ruling. Another option is proposing a formal regulation, though such a move may prove difficult to implement with the US presidential election only months away.
âThe storyâs not over yet,â said Leon Rodriguez, who led the Obama administration HHSâ Office for Civil Rights. âI have to think that HHS is not going to just sort of say uncle here and leave the issue.â
Controversial Guidance
Authored by Judge Mark T. Pittman of the US District Court for the Northern District of Texas, the decision found that HHS lacked authority to issue its guidance.
That guidance laid out how health providers were to use online tracking technologies without running afoul of the 1996 Health Insurance Portability and Accountability Act, or HIPAA, a move that was targeted by hospital and health groups with litigation.
The case wasnât âreally about HIPAA,â but rather âour nationâs limits on executive power,â wrote Pittman, who was appointed by former President Donald Trump and has been identified as part of an effort for conservatives to âjudge shopâ for challenges to Biden administration policies.
HHS spokespeople didnât immediately respond to a request for comment on the order.
However the HHS ultimately responds to the ruling, it could face resistance.
âThere is this trend in the courts to really dial back agenciesâ ability, not only to get guidance, but even to regulate,â said Rodriguez, pointing to the Supreme Courtâs Loper Bright Enterprises v. Raimondo. A decision in that case is expected by the end of the month and could limit HHS and other agencyâs ability to defend their policies in court.
Some attorneys said that the decision accurately highlights flaws in the HHS guidance.
The guidance was âvery difficult to interpretâ and âunclear and contradictory,â said Linn Freedman, chair of Robinson + Coleâs Data Privacy + Cybersecurity practice. The decision, she said, was validating for hospitals that were struggling with it.
âPeople surf websites for all sorts of reasons, none of which necessarily has to do with their own health. It is impossible for health care entities to know why someone is looking at their website,â Freedman said.
The HHSâs first stab at guidance was through a 2022 bulletin. In 2023, the American Hospital Association and others sued the HHS over the guidance. In March of this year, the agency updated the guidance to assuage the plaintiffsâ concerns, though it wasnât enough to drop the case.
Prior to suing the HHS, the AHA had spent time meeting with the agency to work out a compromise, a person familiar with the meetings said. The negotiations with HHSâs Office of Civil Rights were ultimately unsuccessful, the person said.
Hospital Response
Even though the HHS can no longer enforce its guidance following Thursdayâs order, âadvice across the industryâ has likely remained to proceed with caution, according to Brad M. Rostolsky, member of the Health Care & FDA Practice in Greenberg Traurigâs Philadelphia office.
Likely, the decision âlets folks reset back to pre-original guidance times for the moment, with the caveat that we know that the Office for Civil Rights is really focused on tracking technology vendors,â Rostolsky said.
And while hospitals can at the moment rely on âcertain basic understandings about HIPAA,â Rostolsky said the HHS guidance remains important as it shows âwhere the focus is with the regulators.â
âItâs a good reminder to make sure that your house is in order. Look at your vendors, look at the information your vendors are touching, make sure that youâve got the right agreements with those vendors,â Rostolsky said.
Yet AHA general counsel Chad Golder said the technologies were âextremely valuable technologies for hospitals.â
The technologies allowed hospitals âto provide accurate, reliable healthcare information to communities, whether it was through YouTube videos, translation services, map technologies, ways to surge resources into neighborhoods and communities where they saw a lot of online traffic, looking for certain things like vaccines,â Golder said.
And under the guidance, they had to switch to âless effective, more expensive tools,â Golder said. âHospitals are strapped financially, so every dollar that they spend on these things is a dollar they canât spend on patient care.â
Still, âitâs important for hospitals to not necessarily think that they can do anything that they were doing in the past when it came to tracking technology,â said Jason Johnson, partner in Crowellâs Health Care and Privacy & Cybersecurity Groups
âI donât think from an agency perspective this would do anything to dissuade HHS from continuing to issue guidance or even new rules,â Johnson said.
âI think HHS is likely to find another mechanism,â Johnson said. âThis isnât necessarily sort of a get out of jailâ for hospitals.