Lawyer: Court decision over website trackers has ‘zero impact on patient privacy’
Just 10 days after filing a notice stating it would appeal a federal court decision that threw out its ban on third-party tracking cookies on hospital websites, the U.S. Department of Health and Human Services (HHS) has backed down.
HHS filed the appeal notice Aug. 19. The agency did not provide a reason for backing down and has not made a public statement.
In 2022, HHS issued a statement decrying third-party web trackers, which share personal information on users with advertisers, such as Google, Facebook and Microsoft. The agency argued these trackers may violate portions of the Health Insurance Portability and Accountability Act (HIPAA), as some of the information they gather is unprotected under law, such as a patient’s identity and diagnosis.
However, several medical groups argued the guidance from HHS was an overreach, ultimately leading to a federal court in Texas overruling the ban this past June. The initial lawsuit was brought by the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System. Several other groups nationwide expressed support for the plaintiffs.
Shaky legal ground
HHS may not have appealed because the court ruling aligns with current HIPAA law. U.S. District Court of Northern Texas Judge Mark Pittman ultimately ruled that patient privacy is not violated by website trackers when they’re used on public websites. Paul Bond, a litigation attorney from Holland & Knight—which specializes in data security and privacy—said he agreed with the judge.
“HHS’s decision not to appeal will have zero impact on patient privacy,” Bond told HealthExec. “Judge Pittman was right: You can’t tell someone is a patient just because they access an informational website maintained by a healthcare provider.”
Bond agreed with the plaintiffs, who reasoned that searching for information on a website cannot be held to the same standard as speaking to a provider, as the motivation and true identity of the user remains largely unknown even if the trackers gather IP addresses and browsing information.
“[Hospital websites] are used by employees and applicants, by friends and family of patients, by researchers and students, and the general public. HHS’s inference that all website visitors were seeking care was, as it turns out, literally indefensible,” Bond argued.
Further, the ruling in Texas federal court was limited in scope. For areas of websites where patients do exchange protected health information (PHI) with providers—such as a patient portal or secure messaging—the HHS ban on third-party trackers remains in effect.
“Patient records are maintained in password-protected patient portals. AHA did not challenge, and Judge Pittman did not vacate, the portion of the Online Tracking Bulletin dealing with tracking inside those patient portals,” Bond said.
It isn’t clear how the partial repeal of the HHS ban will impact pending lawsuits against hospital systems accused of exposing PHI to advertisers, such as a pending case in Florida filed against a physician network.