The full AHA Lawsuit order can be read here.
The order follows years of criticism from the AHA, who viewed the bulletin as an overextension of executive power that prevented providers from serving their communities via online trackers that improved web experiences.
However, the order was surprisingly narrow in scope.
What does this mean for providers? While the order temporarily excuses broad user identifiers, the requirements of the OCR bulletin remain largely intact.
What the Order Declares and Overreach
The most important takeaway is that the judge’s order only vacates portions of the OCR Bulletin that deal with IP addresses and unauthenticated web pages.
The AHA’s argument rejected the notion of “proscribed combination.” A proscribed combination is a more nuanced way of referring to “unlawful pairings” of IP addresses and health information. In short, it rejected the OCR’s notion that healthcare information paired with an IP address on unauthenticated pages constitutes individually identifiable health information (IIHI).
The AHA alleged that OCR Bulletin's threshold for individually identifiable health information (IIHI) was overextended. They argued that webpage visits are not always connected to health conditions—for instance, what if someone was browsing for research purposes?
The OCR’s updated March guidance proactively addressed this perspective, acknowledging that “It does not constitute a violation if the webpage is unrelated to an individual’s past, present, or future health, health care, or payment for health care.”
In short, the judge’s order vacates OCR guidance related to tracking technologies that pair IP addresses with activity on unauthenticated web pages.
What Remains Unchanged
The most surprising part of the order is its narrow scope. Rather than outright rejecting the OCR Bulletin, the most challenging parts were left untouched.
This means that providers must remain vigilant to protect visitor data in the following scenarios:
When Identification is Specific
When third-party trackers collect identifiers that are more specific than IP address. Popular third-party trackers and ad platforms commonly use device IDs, click IDs, email addresses, or names, and these cannot be sent to organizations with which providers don’t have a business associate agreement (BAA).
When Certain Platforms are Used
When using ad platforms like Google Ads, Google Display Network, Meta Ads, or X Ads. Ad platforms create conversion events by pairing specific user identifiers with explicit intent for services or products. In the realm of healthcare, pairing a person’s identity with the medical services or products they are seeking is a clear violation of HIPAA. As a result, the use of ad platforms remains problematic for healthcare companies, and they must make their ad platforms HIPAA-compliant to avoid fines.
On Authenticated Portals
When individually identifiable healthcare information exists on authenticated websites. This includes tools like patient portals, member portals, or other platforms to which patients can log in.
With Visitor Intent
When webpages have direct correlations to visitor intent. This includes appointment schedulers, symptom checkers, or clinical trial sign-up forms.
More Restrictive Local Laws
When a provider’s state or local privacy laws supersede the OCR guidance. Many state-level laws, such as the California Consumer Privacy Act (CCPA) or Senate Bill 332 in New Jersey, have specific privacy rules that are stricter than the OCR guidance. Even if you aren’t incorporated in one of these states, their rules could apply if you have any patients who reside there. Even if the laws of the OCR Guidance are eased, following the stricter portions of these rules remains crucial to avoiding fines.
Get an Audit
Concerned about compliance
?We can help ensure your marketing campaigns are HIPAA compliant.
Learn More →What Could Still Change
The US Department of Health and Human Services (HHS) has several options for responding to the order, so it could certainly change.
The most likely action is for the HHS to request an appeal. Appeals generally take over eight months from filing to judgment, but a stay could be enforced throughout the process. That would mean the entire OCR Bulletin would remain in effect during the appeal.
What to Do Next
Rather than going away, omissions in the order lead us to believe that most of the OCR Bulletin guidance is here to stay.
What can healthcare providers do to ensure compliance with the new order?
Providers should continue to operate under the assumption that IP addresses are user identifiers that could constitute IIHI when paired with healthcare information. However, at a bare minimum, identifiers like device IDs, click IDs, email addresses, and names must be redacted from third-party trackers with which they don’t have a BAA.
Conclusion
In conclusion, while the District Court’s order provides some reprieve by narrowing the scope of the OCR Bulletin concerning IP addresses and unauthenticated web pages, it does not significantly depart from established guidelines.
Healthcare providers must remain vigilant and adaptable, ensuring comprehensive compliance with the remaining provisions of the OCR Bulletin. By continuing to safeguard more specific identifiers and maintaining robust privacy measures on authenticated websites, providers can navigate this evolving regulatory landscape. As the HHS considers its responses, including potential appeals, providers should stay informed on further developments to ensure ongoing adherence to the latest standards.