Alert
June 27, 2024

Federal Judge Vacates Health and Human Services Pixel Tracking Guidance

On June 20, 2024, a Texas federal judge ruled that guidance published by the Department of Health and Human Services (the Department) prohibiting covered entities from disclosing information collected by third-party online-tracking technologies on public-facing websites was unlawful. In a matter brought by the American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, the judge ruled that the Department exceeded its authority in issuing such guidance, creating uncertainty as to how pixel tracking and other similar technologies will be regulated in the future.

Pixel Tracking Guidance

The Department issued guidance in late 2022 warning that pixel trackers like Google Analytics and Meta Pixel, which track consumer movement through websites, could violate HIPAA if such information is exposed to third parties, taking the position that such information is considered protected health information (PHI) under HIPAA. The court refers to this data as a “Proscribed Combination,” given that it requires both an individual’s IP address and that individual’s purpose of visiting that website for health-related reasons to be considered PHI. The 2022 guidance immediately sparked concerns about knowing a website visitor’s subjective intent for visiting that website: because one could not know that subjective intent, providers were forced to treat all pixel-tracking data as protected under HIPAA.

Litigation that Followed

The Department’s guidance resulted in a wave of lawsuits and settlements for providers. In November 2023, the American Hospital Association filed a federal lawsuit in an effort to delegitimize the guidance through court action, an effort which garnered wide support within the industry. In March 2024, the Department updated its guidance to soften its language and clarify that whether such data is PHI is a subjective standard. However, this change did not remedy the core concern that a provider has no way of making conclusions about any particular individual using this subjective standard. The American Hospital Association’s lawsuit focused primarily on how the Department’s guidance created new rules without proper notice and comment and how such rules attempted to expand HIPAA’s definition of “individually identifiable health information” to include data that was not intended and thus is not within the Department’s authority to regulate. The judge agreed with this position, citing that requirements for protection of the Proscribed Combination have not been previously announced and that measures to protect such data are not a standard practice among covered entities. To qualify as “individually identifiable health information” under HIPAA, a data point must identify the individual and be related to that individual’s past, present, or future physical or mental health condition. This “related to” element is where the court found that the Department failed most to meet the definition because it requires covered entities to perform the impossible: to divine the subjective intent of their website visitors. On these grounds, the court vacated the guidance.

What’s Next for Pixel Tracking?

While the federal court ruling is likely to be appealed, health providers can look to this ruling as a hopeful indication that these technologies may continue to be useful without the threat of enforcement by regulators. It will be interesting to see if this ruling also affects enforcement actions by the Federal Trade Commission (FTC) under the FTC Act against healthcare providers using pixel-tracking technology.

Goodwin’s team of attorneys can leverage their deep understanding of HIPAA rules and enforcement to provide the best possible advice for implementing such technologies. Please contact Jonathan Ishee or Michael Paluzzi to learn more.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.