Is OCR Correct That Website Metadata Is Regulated by HIPAA? Chicago Federal Court Asks

Privacy and Data Security

The plaintiff’s bar continues to bring new wiretapping claims over pixels and analytics programs in courts around the country, including against hospitals and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA). This comes, in part, on the heels of the Department of Health and Human Services’ (HHS) December 2022 bulletin on tracking technologies and the more recent joint HHS–Federal Trade Commission (FTC) letter to website and application providers on the subject. The courts are now beginning to discuss how those materials impact litigation against HIPAA-covered entities.

Why This Matters

A federal court in the Northern District of Illinois, ruling on a motion to dismiss wiretapping claims against a Chicago hospital, questioned whether HHS’ bulletin regarding tracking technologies on HIPAA-regulated entities’ websites is correct in the first place. Coupled with the Supreme Court’s recent use of the “major questions” doctrine to reject agencies’ interpretations of their own statutes, it raises questions of whether the fever over website pixels and analytics on health care websites will result in much ado about nothing as federal courts weigh in. Yet the decision, which upholds some claims, also illustrates the critical importance of thoroughly understanding the operation of third-party software on a website and the specific language in a website’s terms and conditions and privacy disclosures.

In the Illinois case, the court rejected using the HHS bulletin as a basis for assessing liability under federal wiretapping laws, raising questions about the validity of the guidance. To the court, the HHS bulletin is not entitled to deference because “[a]gency interpretations—such as the HHS guidance—that are arrived at in a less formal manner (i.e., not in the course of rulemaking and adjudication) do not warrant Chevron-style deference.” And then the court proceeds to question if the metadata transmitted through the pixels analytics software is even individually identifiable health information (IIHI) at all:

The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate[] to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.” 42 U.S.C. § 1320d(6) (emphasis added). The type of metadata that [plaintiff] alleges was transmitted via third-party source code does not in the least bit fit into that category. And while the actual substance of [plaintiff’s] private communications related to her care—like the above-noted MyChart/blood pressure example from Regents—would likely fall under section 1320d(6)’s definition of IIHI, [plaintiff] has failed to plausibly allege that anything of that nature was actually disclosed.

Maybe the answer to whether the HHS guidance is premised on an accurate analysis is yes; maybe it is no. But the question about applicability challenges fundamentals of how websites function these days. Considering the major questions doctrine, did Congress, in enacting HIPAA in 1996 or the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, intend to regulate this type of information? For that matter, did HHS in 2000 when it first adopted the HIPAA Privacy Rule (or 2013 when it amended the Privacy Rule to add the HIPAA Breach Notification Rule)? Courts already have significantly questioned HHS’ interpretation and enforcement of the HIPAA Security Rule when assessing fines (in that case, for having insufficient encryption when the organization, in fact, had implemented a mode of encryption).

Even so, the court upholds claims for breach of contract (premised on statements in the hospital’s website terms and conditions and incorporated privacy disclosures) and for eavesdropping under Illinois law (premised on finding that the eavesdropping is by the third-party organizations and the hospital is deriving a benefit from their use).

For more, see our March 2023 report on the court’s first decision to dismiss the claims in the case.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved