Hospitals Get Reprieve on Tech From Court as HHS Weighs Privacy

June 24, 2024 10:18 am

  • Hospitals not entirely off hook with HHS guidance blocked
  • Health agency could appeal or release new guidance

US hospitals should proceed with caution in resuming the use of popular technology that collects user information while the Biden administration weighs a response to a court order greenlighting the practice.

The US Department of Health and Human Services had issued guidance requiring health providers to take extra steps to protect data that third parties could use to identify website users who look up online information about their conditions. Google Analytics, YouTube, and other technologies commonly used by hospitals were among those the HHS had tried limiting through the guidance widely opposed by healthcare providers, according to a person familiar with the industry response.

A federal judge in Texas on Thursday backed the industry, blocking the HHS effort by vacating the guidance and putting the ball back in the agency’s court for how to respond.

Thursday’s order “gives hospitals some reprieve from what has clearly always been an over broad guidance,” said Kirk Nahra, co-chair of WilmerHale’s Big Data Practice and Cybersecurity and Privacy Practice. He said that the HHS could have used its guidance to show hospitals “how best to approach a very common practice – instead it is using this guidance as a basis for enforcement proceedings.”

The HHS “created mass confusion and led hospitals and others to make changes that make it harder for patients to get information and use hospital web sites.”

The decision likely isn’t the last action on the guidance. HHS can appeal the ruling to the US Court of Appeals for the Fifth Circuit or release new guidance that fits within the scope of the judge’s ruling. Another option is proposing a formal regulation, though such a move may prove difficult to implement with the US presidential election only months away.

“The story’s not over yet,” said Leon Rodriguez, who led the Obama administration HHS’ Office for Civil Rights. “I have to think that HHS is not going to just sort of say uncle here and leave the issue.”

Controversial Guidance

Authored by Judge Mark T. Pittman of the US District Court for the Northern District of Texas, the decision found that HHS lacked authority to issue its guidance.

That guidance laid out how health providers were to use online tracking technologies without running afoul of the 1996 Health Insurance Portability and Accountability Act, or HIPAA, a move that was targeted by hospital and health groups with litigation.

The case wasn’t “really about HIPAA,” but rather “our nation’s limits on executive power,” wrote Pittman, who was appointed by former President Donald Trump and has been identified as part of an effort for conservatives to “judge shop” for challenges to Biden administration policies.

HHS spokespeople didn’t immediately respond to a request for comment on the order.

However the HHS ultimately responds to the ruling, it could face resistance.

“There is this trend in the courts to really dial back agencies’ ability, not only to get guidance, but even to regulate,” said Rodriguez, pointing to the Supreme Court’s Loper Bright Enterprises v. Raimondo. A decision in that case is expected by the end of the month and could limit HHS and other agency’s ability to defend their policies in court.

Some attorneys said that the decision accurately highlights flaws in the HHS guidance.

The guidance was “very difficult to interpret” and “unclear and contradictory,” said Linn Freedman, chair of Robinson + Cole’s Data Privacy + Cybersecurity practice. The decision, she said, was validating for hospitals that were struggling with it.

“People surf websites for all sorts of reasons, none of which necessarily has to do with their own health. It is impossible for health care entities to know why someone is looking at their website,” Freedman said.

The HHS’s first stab at guidance was through a 2022 bulletin. In 2023, the American Hospital Association and others sued the HHS over the guidance. In March of this year, the agency updated the guidance to assuage the plaintiffs’ concerns, though it wasn’t enough to drop the case.

Prior to suing the HHS, the AHA had spent time meeting with the agency to work out a compromise, a person familiar with the meetings said. The negotiations with HHS’s Office of Civil Rights were ultimately unsuccessful, the person said.

Hospital Response

Even though the HHS can no longer enforce its guidance following Thursday’s order, “advice across the industry” has likely remained to proceed with caution, according to Brad M. Rostolsky, member of the Health Care & FDA Practice in Greenberg Traurig’s Philadelphia office.

Likely, the decision “lets folks reset back to pre-original guidance times for the moment, with the caveat that we know that the Office for Civil Rights is really focused on tracking technology vendors,” Rostolsky said.

And while hospitals can at the moment rely on “certain basic understandings about HIPAA,” Rostolsky said the HHS guidance remains important as it shows “where the focus is with the regulators.”

“It’s a good reminder to make sure that your house is in order. Look at your vendors, look at the information your vendors are touching, make sure that you’ve got the right agreements with those vendors,” Rostolsky said.

Yet AHA general counsel Chad Golder said the technologies were “extremely valuable technologies for hospitals.”

The technologies allowed hospitals “to provide accurate, reliable healthcare information to communities, whether it was through YouTube videos, translation services, map technologies, ways to surge resources into neighborhoods and communities where they saw a lot of online traffic, looking for certain things like vaccines,“ Golder said.

And under the guidance, they had to switch to “less effective, more expensive tools,” Golder said. “Hospitals are strapped financially, so every dollar that they spend on these things is a dollar they can’t spend on patient care.”

Still, “it’s important for hospitals to not necessarily think that they can do anything that they were doing in the past when it came to tracking technology,” said Jason Johnson, partner in Crowell’s Health Care and Privacy & Cybersecurity Groups

“I don’t think from an agency perspective this would do anything to dissuade HHS from continuing to issue guidance or even new rules,” Johnson said.

“I think HHS is likely to find another mechanism,” Johnson said. “This isn’t necessarily sort of a get out of jail” for hospitals.