AHA, THA sue HHS for overstepping its authority

The biggest U.S. hospital lobbying group on Thursday sued the Biden administration over new guidance barring hospitals and other medical providers from using trackers to monitor users on their websites.

The American Hospital Association (AHA), along with the Texas Hospital Association and two nonprofit Texas health systems, filed a lawsuit against the U.S. Department of Health and Human Services (HHS) in federal court in Fort Worth, Texas. The lawsuit accuses the agency of overstepping its authority when it issued the guidance in December.

The guidance warns healthcare providers that allowing a third-party technology company like Google or Meta to collect and analyze internet protocol (IP) addresses and other information from visitors to their public websites or apps could be a violation of the Health Insurance Portability and Accountability Act (HIPAA). That federal law bans the public disclosure of individuals’ private health information to protect them against discrimination, stigma or other negative consequences.

AHA Deputy General Counsel Chad Golder told Reuters his group, which represents more than 5,000 hospitals nationwide, knows that HHS has instigated several enforcement actions under the guidance. The penalties for violating HIPAA can be hefty, as the fines — which could be in the thousands, according to HHS — would be assessed for each IP address disclosed to a third party, Golder said.

Court records show several hospitals have been hit with proposed class actions that cite the guidance, accusing them of mishandling personal health information through the use of these trackers.

Thursday’s lawsuit seeks a declaration that the information collected by third-party trackers, like Google Analytics or Meta Pixel, is not “individually identifiable health information,” which is protected by HIPAA. It is also asking for a permanent injunction barring HHS from enforcing the guidance.

An spokesperson for HHS’s Office for Civil Rights said the office does not comment on open or potential investigations and litigation.

The guidance addresses the hospitals’ public-facing websites, not patient portals or sites protected by a password. It was issued as a bulletin from the HHS Office of Civil Rights, which said the proliferation of the trackers on healthcare websites can reveal people’s diagnoses, frequency of medical visits and put people at risk of identity theft, discrimination or other consequences. The guidance applies to any healthcare provider covered by HIPAA.

The groups suing to stop the rule say they use these trackers in videos about health conditions, translation tools for website content and mapping technology to help potential patients find their locations. The guidance could force them to remove these tools, which they say would limit the information they can provide to the public.

The lawsuit claims the guidance was put forward without giving medical providers and others in the industry a chance to comment. Golder said his group decided to file the lawsuit after months of stymied efforts to communicate with HHS about the guidance. Reuters