Lawyer: Court decision over website trackers has ‘zero impact on patient privacy’

Just 10 days after filing a notice stating it would appeal a federal court decision that threw out its ban on third-party tracking cookies on hospital websites, the U.S. Department of Health and Human Services (HHS) has backed down. 

HHS filed the appeal notice Aug. 19. The agency did not provide a reason for backing down and has not made a public statement. 

In 2022, HHS issued a statement decrying third-party web trackers, which share personal information on users with advertisers, such as Google, Facebook and Microsoft. The agency argued these trackers may violate portions of the Health Insurance Portability and Accountability Act (HIPAA), as some of the information they gather is unprotected under law, such as a patient’s identity and diagnosis. 

However, several medical groups argued the guidance from HHS was an overreach, ultimately leading to a federal court in Texas overruling the ban this past June. The initial lawsuit was brought by the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System. Several other groups nationwide expressed support for the plaintiffs. 

Shaky legal ground

HHS may not have appealed because the court ruling aligns with current HIPAA law. U.S. District Court of Northern Texas Judge Mark Pittman ultimately ruled that patient privacy is not violated by website trackers when they’re used on public websites. Paul Bond, a litigation attorney from Holland & Knight—which specializes in data security and privacy—said he agreed with the judge.

“HHS’s decision not to appeal will have zero impact on patient privacy,” Bond told HealthExec. “Judge Pittman was right: You can’t tell someone is a patient just because they access an informational website maintained by a healthcare provider.”

Bond agreed with the plaintiffs, who reasoned that searching for information on a website cannot be held to the same standard as speaking to a provider, as the motivation and true identity of the user remains largely unknown even if the trackers gather IP addresses and browsing information.

“[Hospital websites] are used by employees and applicants, by friends and family of patients, by researchers and students, and the general public. HHS’s inference that all website visitors were seeking care was, as it turns out, literally indefensible,” Bond argued.

Further, the ruling in Texas federal court was limited in scope. For areas of websites where patients do exchange protected health information (PHI) with providers—such as a patient portal or secure messaging—the HHS ban on third-party trackers remains in effect.

“Patient records are maintained in password-protected patient portals. AHA did not challenge, and Judge Pittman did not vacate, the portion of the Online Tracking Bulletin dealing with tracking inside those patient portals,” Bond said. 

It isn’t clear how the partial repeal of the HHS ban will impact pending lawsuits against hospital systems accused of exposing PHI to advertisers, such as a pending case in Florida filed against a physician network.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty. 

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue.