There’s trouble in Paradise . . . again. The federal government has created a rule that has upset many in the hospital community, resulting in legal action taken by the American Hospital Association (AHA), among other entities. The rule at issue involves the prevention of hospitals from utilizing third-party technologies in connection with hospitals’ webpages. To put it another way, “the rule imposes limitations on the application of common third-party web technologies responsible for capturing IP addresses on sections of publicly accessible web pages for hospitals,” according to a January 8 report in Becker’s Health IT.
Stirring the Pot
According to Becker’s, HHS’ Office for Civil Rights (OCR), along with the Federal Trade Commission (FTC), began sending letters this past July to 66 hospitals and health systems across the country, warning them that their websites may be using disallowed tracking tools. This, no doubt, created quite a stir in the hospital sector, ultimately leading to a decision by the AHA to file suit in November.
The AHA’s position is that the federal agencies have incorrectly held that the collection of online data for advertising and backend operations might constitute a breach of federal health privacy laws. According to Becker’s, the HHS rule comes at a time when “many hospitals and health systems in the U.S. are facing lawsuits that allege third-party tracking tools on their websites and patient portals have been sending patient information to tech giants like Meta and Google.” As of last May, some 18 hospitals or health systems were facing such lawsuits.
On Jan 5, the AHA filed a brief challenging the December 2022 rule issued by the Department of Health and Human Services’ Office for Civil Rights. Again, that rule acts to restrict the use of standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages.
In the “Introduction and Summary” section of its brief in support of a motion for summary judgment in a case before the U.S. District Court for the Northern District of Texas, the AMA asserted the following:
The U.S. Department of Health and Human Services (HHS) has issued a new rule that is flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy. The rule prohibits the use of certain technologies that make healthcare providers’ public webpages more effective in sharing vital information with their communities. In doing so, it exceeds the government’s statutory and constitutional authority, violates the substantive and procedural requirements for agency rulemaking, and injures the very people it purports to protect.
The brief went on to state:
The rule is contrary to law because it restricts the use of information that is not protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Count 1), and it also is final agency action that violates the Administrative Procedure Act (APA) because it provided an arbitrary-and-capricious rationale (Count 2) and failed to go through the notice-and comment process (Count 3). On each of these purely legal claims, Plaintiffs are entitled to summary judgment because there are no genuine disputes of material fact.
This issue is far from being resolved. We have the above-referenced action currently in play, and there are the other lawsuits against hospitals that will have to be adjudicated, as well. As to the case in which the AHA is a party, it might be worth noting that it is before a Texas judicial panel. Interestingly, it has been a Texas federal court that has recently handed the federal government a series of defeats relative to a different legal issue—the No Surprises Act regulations. Though those cases were before the Eastern District of Texas, it would not be surprising to see the Northern District court take a similar pro-provider position. Stay tuned.