/ en Tue, 29 Apr 2025 22:45:56 -0500 Thu, 29 Aug 24 14:18:54 -0500 /news/headline/2024-08-29-hhs-will-not-appeal-aha-court-victory-online-tracking-case <p>The U.S. Department of Health and Human Services will not appeal its loss in <em>șÚÁÏŐęÄÜÁż Association v. Becerra</em>. The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November <a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer?utm_source=newsletter&utm_medium=emai&utm_campaign=aha-special-bulletin" target="_blank" title="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer" id="menur3hg" rel="noreferrer noopener" aria-label="Link sued HHS">sued HHS</a> to bar enforcement of a new rule adopted in guidance by the Office for Civil Rights titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” which prevented hospitals and health systems from using standard third-party web technologies that capture IP addresses on key portions of their public-facing webpages. A federal district court in the Northern District of Texas <a href="/news/news/2024-06-20-judge-rules-favor-aha-vacating-hhs-online-tracking-bulletin-unlawful-and-beyond-agency-authority?utm_source=newsletter&utm_medium=emai&utm_campaign=aha-special-bulletin" target="_blank" title="/news/news/2024-06-20-judge-rules-favor-aha-vacating-hhs-online-tracking-bulletin-unlawful-and-beyond-agency-authority" id="menur3hi" rel="noreferrer noopener" aria-label="Link June 20">June 20</a> held that the OCR bulletin’s new rule “was promulgated in clear excess of HHS’s authority under HIPAA.” HHS Aug. 29 officially <a href="https://sponsors.aha.org/rs/710-ZLL-651/images/Final%20Motion%20to%20Dismiss%20AHA%20v.%20Becerra%20Filed.pdf?version=0" target="_blank" title="https://sponsors.aha.org/rs/710-zll-651/images/final%20motion%20to%20dismiss%20aha%20v.%20becerra%20filed.pdf?version=0" id="menur3hk" rel="noreferrer noopener" aria-label="Link withdrew">withdrew</a> its notice of appeal, finalizing the AHA's victory in this case.</p><p>In a statement shared with the media, AHA General Counsel Chad Golder said, “The șÚÁÏŐęÄÜÁż Association is pleased that the Office for Civil Rights has decided not to appeal the district court’s decision vacating the new rule adopted in its Online Tracking Technologies Bulletin. As the AHA repeatedly explained to OCR —both before and after OCR forced the AHA to file its lawsuit — this rule was a gross overreach by the federal government, imposed without any input from healthcare providers or the general public. Now that the Bulletin’s illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate health care information with the communities they serve without the fear of federal civil and criminal penalties.”</p><p>Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in the lawsuit.</p> Thu, 29 Aug 2024 14:18:54 -0500 HIPAA /legal-documents/2024-06-29-opinion-order-american-hospital-association-et-al-v-xavier-becerra-et-al <p class="text-align-center"><strong>UNITED STATES DISTRICT COURT</strong><br><strong>FOR THE NORTHERN DISTRICT OF TEXAS</strong><br><strong>FORT WORTH DIVISION</strong><br> </p><p>AMERICAN HOSPITAL ASSOCIATION,<br>ET AL.,<br>Plaintiffs,<br><br>v.                                                        No. 4:23-cv-01110-P<br><br>XAVIER BECERRA, ET AL.,<br>Defendants.<br> </p><p class="text-align-center"><strong>OPINION & ORDER</strong></p><p>Before the Court are cross-motions for summary judgment. ECF Nos. 24, 50. Having considered the motions, briefs, and applicable law, the Court GRANTS in part and DENIES in part Plaintiffs’ motion (ECF No. 24) and DENIES Defendants’ motion (ECF No. 50).</p><p class="text-align-center"><strong>BACKGROUND</strong></p><p>Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) in 1996 because health information needed more protections and the world needed more acronyms. HIPAA seeks to “assure that individuals’ health information is properly protected” while “allowing the flow of health information needed to provide and promote high quality healthcare.” The Department of Health and Human Services (“HHS”) enforces this mandate. Violations are reported to HHS’s Office for Civil Rights (“OCR”), who investigates reports and recommends corrective action. This case involves HIPAA’s confidentiality protections (the “Privacy Rule”) for “protected health information” (“PHI”). More specifically, the case concerns the Rule’s applicability to one subset of PHI: “individually identifiable health information” (“IIHI”). HIPAA defines IIHI as information that (1) “relates to” an individual’s healthcare and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” </p><p>View the detailed order below.</p> Sat, 29 Jun 2024 17:20:00 -0500 HIPAA /news/news/2024-06-20-judge-rules-favor-aha-vacating-hhs-online-tracking-bulletin-unlawful-and-beyond-agency-authority <p>A United States District Court Judge in Texas today <a href="/system/files/media/file/2024/06/opinion-order-in-aha-et-al-v-xavier-becerra-et-al-6-20-2024.pdf">ruled</a> in favor of the AHA, Texas Hospital Association, and hospital plaintiffs, agreeing that Department of Health and Human Services “bulletins” that restrict health care providers from using standard third-party web technologies that capture IP addresses on portions of their public-facing webpages were unlawful final rules and vacating the March 2024 Revised Bulletin.</p><p>“It’s easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance,” United States District Court Judge Mark Pittman wrote today. “But this case isn’t really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power.
  While the Proscribed Combination may be trivial to HHS, it isn’t for covered entities diligently attempting to comply with HIPAA’s requirements.
  The Court <strong>GRANTS </strong>the Hospitals’ request for declaratory judgment and <strong>DECLARES </strong>that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is <strong>UNLAWFUL</strong>, as it was promulgated in clear excess of HHS’s authority under HIPAA.”</p><p>The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, last November <a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer">sued</a> the federal government to bar enforcement of an unlawful rule, masquerading as guidance, that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their own website traffic to enhance access to care and public health. In response to the lawsuit, HHS OCR in March issued updated guidance for HIPAA-covered entities and business associates on using online tracking technologies. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in today’s ruling.</p><p>AHA General Counsel Chad Golder stated, “For more than a year, the AHA has been telling the Office for Civil Rights that its ‘Online Tracking Bulletin’ was both unlawful and harmful to patients and communities. We regret that we were forced to sue OCR, but we are pleased that the Court today agreed with the AHA and held that OCR does not have ‘interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.’ As a result of today’s decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information.”</p><p>Seventeen state hospital associations and 30 hospitals and health systems filed friend-of-the-court briefs supporting AHA and its co-plaintiffs in this lawsuit.</p> Thu, 20 Jun 2024 17:36:18 -0500 HIPAA /news/headline/2024-04-22-ocr-finalizes-rule-prohibiting-certain-reproductive-health-care-disclosures <p>The Department of Health & Human Services’ Office for Civil Rights April 22 released a <a href="https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-support-reproductive-health-care-privacy.pdf" target="_blank">final rule</a> prohibiting entities regulated by the HIPAA Privacy Rule from using or disclosing protected health information to investigate or prosecute patients, providers or others involved in providing legal reproductive health services. The rule requires covered entities to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes. As <a href="/lettercomment/2023-05-22-aha-letter-ocr-hipaa-privacy-rule-online-tracking-guidance" target="_blank">requested</a> by the AHA, the final rule makes clear that hospitals can rely on the attestation and are not required to investigate the validity of an attestation provided by a person requesting a use or disclosure of PHI.</p><p>The rule will take effect 60 days after publication in the Federal Register and require covered entities to comply within 240 days. As requested by the AHA, OCR plans to issue a model attestation form before the compliance date.</p> Mon, 22 Apr 2024 14:54:07 -0500 HIPAA /news/headline/2024-02-21-cassidy-proposes-ways-strengthen-health-data-privacy <p>Senate Health, Education, Labor & Pensions Committee Ranking Member Bill Cassidy, R-La., Feb. 21 released a <a href="https://www.help.senate.gov/imo/media/doc/privacy_report.pdf" target="_blank">report</a> proposing ways to modernize the existing HIPAA framework and protect health and other data not covered by HIPAA. Responding to Cassidy’s <a href="https://www.help.senate.gov/ranking/newsroom/press/ranking-member-cassidy-seeks-information-from-stakeholders-on-improving-americans-health-data-privacy" target="_blank">request for information</a> on the issue last year, AHA <a href="/news/headline/2023-09-28-aha-responds-requests-stakeholder-input-health-data-privacy-ai" target="_blank">asked</a> Congress to urge the Department of Health and Human Services’ Office for Civil Rights to immediately withdraw a rule that would violate HIPAA and its implementing regulations; explore how to better require entities not covered by HIPAA to protect patient privacy; and strengthen HIPAA preemption.</p> Wed, 21 Feb 2024 15:35:17 -0600 HIPAA /news/headline/2024-02-16-nist-updates-hipaa-cybersecurity-resource-guide <p>The National Institute of Standards and Technology this week released <a href="https://csrc.nist.gov/pubs/sp/800/66/r2/final">updated guidance</a> to help HIPAA-covered entities and business associates assess and manage cybersecurity risks to electronic protected health information and comply with the HIPAA security rule. The Department of Health and Human Services’ Office for Civil Rights collaborated with NIST on the guidance, last updated in 2008, which identifies activities that a regulated entity might consider implementing as part of an information security program and resources to help in complying with the HIPAA security rule. </p> Fri, 16 Feb 2024 15:05:01 -0600 HIPAA <div class="container"><div class="row"><div class="col-md-8"><p>The Department of Health and Human Services’ (HHS) Office for Civil Rights and the Substance Abuse and Mental Health Services Administration Feb. 8 <a href target="_blank" title="Modifications">finalized</a> modifications of certain provisions of part 2 of title 42 of the Code of Federal Regulations, commonly known as 42 CFR Part 2 (or Part 2), to align requirements for patient records regarding treatment for substance use disorder (SUD) with those in effect under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.</p><p>These modifications were required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020; other provisions, while not expressly required by the CARES Act, seek to improve or clarify existing regulations in the spirit of the legislation’s intent. Even before the legislation’s passage, AHA, along with the Partnership to Amend 42 CFR Part 2, has for several years advocated for these changes.</p><p>The modifications update and add new patient rights regarding consent and redisclosure of patient records, prohibitions on discrimination and filing complaints; streamline requirements for patient consent for use and disclosure of Part 2 records; and create within HHS new enforcement authority.</p><h2>AHA TAKE</h2><p>In a statement, Ashley Thompson, AHA’s senior vice president for public policy analysis and development, said, “America’s hospitals and health systems care for individuals with substance use disorders every day, from reversing overdoses in emergency departments to providing counseling and recovery services to connecting patients with critical resources in their communities. The proposals in this rule would substantially improve hospitals’ and health systems’ ability to provide safer, better coordinated care to patients with substance use disorder through vital information sharing.</p><p>“The AHA appreciates the Administration taking necessary steps to align different federal requirements such that health care providers can more easily share important patient information while protecting patients’ rights, including their privacy. However, the rule can only go so far given limits in the law. We urge the Administration to work with Congress to update the statutory framework to allow for more meaningful integration of behavioral and physical health care.”</p><h2>WHAT YOU CAN DO</h2><ul><li>Share this bulletin with the appropriate members of your leadership team.</li><li>Review <a href="/topics/42-cfr-part-2-confidentiality-regulations-sud" target="_blank" title="2020 Letter to HHS">previous work</a> from AHA on 42 CFR Part 2, including our 2020 <a href="/lettercomment/2020-04-28-aha-others-urge-hhs-expedite-revising-rule-42-cfr-part-2-provisions-cares" target="_blank" title="2020 letter to HHS">letter</a> to HHS regarding implementation of the related CARES Act provisions.</li></ul><h2>SUMMARY OF MAJOR PROVISIONS</h2><p>In this rule, HHS finalizes revisions, deletions, replacements and additions to regulatory language to the Part 2 regulations to align them with those under HIPAA, as well as to improve clarity or readability.</p><p>The following summarizes the substantive changes to rights or requirements but excludes provisions that make editorial or typographical updates rather than policy changes.</p><p><strong>Definitions</strong>. HHS adds 13 defined regulatory terms and modifies the definitions of several existing terms referenced in the Part 2 regulations. Most of these terms and definitions will now be based on existing HIPAA regulatory terms and definitions; others will be modified for clarity and consistency. Generally, the agency defines “HIPAA” and “HIPAA regulations” as encompassing statutory and regulatory provisions pertaining to privacy, security, breach notification and enforcement standards with respect to protected health information only; the definition excludes other HIPAA standards not relevant to the rule (e.g., standard electronic transitions or code sets).</p><p>In the final rule, HHS creates a new definition for a SUD clinician’s notes that makes them subject to the same protections under HIPAA as for psychotherapy notes. This will require that SUD counseling notes be separated from the rest of the Part 2 and/or medical record and afforded additional privacy protection.</p><p><strong>Patient Rights</strong>. To protect against inappropriate use or disclosure of Part 2 records, HHS adopts new patient rights, restrictions on redisclosures and protections against use of Part 2 records in legal proceedings. Specifically, the department:</p><ul><li>Creates the right to an accounting of disclosures using a standard that mirrors the HIPAA Privacy Rule.</li><li>Creates the right to request restrictions on otherwise permitted disclosures.</li><li>Requires Part 2 programs establish a process to receive complaints of Part 2 violations, prohibit these programs from taking adverse action against patients who file complaints, and prohibit these programs from requiring individuals to waive their right to file a complaint as a condition of service.</li><li>Expands and clarifies prohibitions on the use of Part 2 records in legal proceedings without court order or patient consent.</li></ul><p>In the final rule, HHS adopts additional requirements related to patient consent, including provisions that:</p><ul><li>Permit a person to file a complaint directly to the secretary for a violation by a Part 2 program (as is allowed under HIPAA). This provision was not in the proposed rule, but the department states that it intended to propose it and it was erroneously omitted.</li><li>Prohibit combining patient consent for use and disclosure of records for civil, criminal, administrative or legislative proceedings with patient consent for any other use or disclosure.</li><li>Require separate patient consent for the use and disclosure of SUD counseling notes.</li><li>Require that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of consent.</li><li>Create a new right for patients to opt out of receiving fundraising communications from their Part 2 program.</li></ul><p><strong>Consent for Redisclosure</strong>. HHS finalizes streamlined requirements to obtain patient consent to disclose Part 2 records. Specifically, the agency will permit:</p><ul><li>Part 2 programs to use and disclose Part 2 records for the purposes of all future treatment, payment and health care operations (TPO) based on a single patient consent, rather than obtaining consent upon each disclosure (patients have the right to revoke this consent in writing).</li><li>Redisclosure of Part 2 records in any manner permitted under the HIPAA Privacy Rule (with some exceptions).</li></ul><p>In the final rule, the department also finalizes the addition of an express statement that segregation of records received by a Part 2 program, covered entity or business associate under a consent for TPO is not required. This does not represent a change in the law, but rather a clarification that Part 2 programs that receive records with consent do not have to maintain separate records pertaining to a patient’s SUD treatment.</p><p><strong>Enforcement</strong>. The agency will extend enforcement mechanisms created and implemented through HIPAA and the Health Information Technology for Economic Clinical Health (HITECH) Act to Part 2 noncompliance. Specifically, HHS creates enforcement authority for itself to impose civil monetary penalties for instances of noncompliance.</p><p><strong>Standards</strong>. HHS also finalizes proposals to apply existing standards under HIPAA and HITECH to Part 2 programs, including standards for:</p><ul><li>Breach notification.</li><li>Patient notice of confidentiality.</li><li>De-identification of data for research.</li></ul><p>The department did not finalize updates to Notice of Privacy Practices under HIPAA to address uses and disclosures of Part 2 records but states that it intends to do so in a future HIPAA final rule.</p><p><strong>Effective and Compliance Dates</strong>. Finalized provisions will be effective 60 days after the publication of the final rule. However, the compliance date — the date by which entities subject to the rule must establish and implement policies and practices to achieve compliance — will not occur until 24 months after the publication of the final rule. In other words, compliance with finalized provisions is not required until February 2026.</p><h2>FURTHER QUESTIONS</h2><p>If you have further questions, please contact Caitlin Gillooley, AHA’s director of behavioral health and quality policy, at <a href="mailto:cgillooley@aha.org" target="_blank">cgillooley@aha.org</a> or 202-626-2267.</p></div><div class="col-md-4"><div><a class="btn btn-wide btn-primary" href="/system/files/media/file/2024/02/hhs-finalizes-changes-to-information-sharing-requirements-for-addiction-treatment-bulletin-2-9-2024.pdf">Download the Special Bulletin PDF</a></div><p> </p><p><a href="/system/files/media/file/2024/02/hhs-finalizes-changes-to-information-sharing-requirements-for-addiction-treatment-bulletin-2-9-2024.pdf"><img src="/sites/default/files/2024-02/cover-hhs-finalizes-changes-to-information-sharing-requirements-for-addiction-treatment-bulletin-2-9-2024.png" data-entity-uuid data-entity-type="file"></a></p></div></div></div> Fri, 09 Feb 2024 15:05:03 -0600 HIPAA /legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer <div class="container"> <div class="row"> <div class="col-md-8"> <p><strong>IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF TEXAS FORT WORTH DIVISION</strong></p> <div class="row"> <div class="col-md-6"> <p>AMERICAN HOSPITAL ASSOCIATION; TEXAS HOSPITAL ASSOCIATION; TEXAS HEALTH RESOURCES; UNITED REGIONAL HEALTH CARE SYSTEM,</p> <p>Plaintiffs,</p> <p>v.</p> <p>MELANIE FONTES RAINER, IN HER OFFICIAL CAPACITY AS DIRECTOR OF OFFICE FOR CIVIL RIGHTS, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES; XAVIER BECERRA, IN HIS OFFICIAL CAPACITY AS SECRETARY OF U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES; UNITED STATES OF AMERICA,</p> <p>Defendants.</p> </div> <div class="col-md-1"> <p>|<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |<br> |</p> </div> <div class="col-md-5"> <p>NO.</p> </div> </div> <p><strong>COMPLAINT</strong></p> <div class="row"> <div class="col-md-6"> <p>Jonathan D. Guynn (TX 24120232)<br> JONES DAY<br> 2727 N. Harwood St., Ste. 500<br> Dallas, Texas 75201<br> (214) 220-3939<br> (214) 969-5100 (fax)<br> jguynn@jonesday.com</p> </div> <div class="col-md-6"> <p>Hashim M. Mooppan* (DC 981758)<br> Rebekah B. Kcehowski* (PA 90219)<br> Jack L. Millman* (NY 5517180)<br> Audrey Beck* (DC 1739917)<br> JONES DAY<br> 51 Louisiana Ave., N.W.<br> Washington, D.C. 20001<br> (202) 879-3939<br> (202) 626-1700 (fax)<br> hmmooppan@jonesday.com<br> rbkcehowski@jonesday.com<br> jmillman@jonesday.com<br> abeck@jonesday.com<br> * <em>Pro hac vice application forthcoming</em></p> </div> </div> <p><em>Counsel for Plaintiffs</em></p> </div> <div class="col-md-4"> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer" target="_blank" title="Click here to download the Case Complaint: AHA, THA, THR, United Health Care System v. Rainer PDF.">Download the Case Complaint PDF</a></div> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Related Resources</h3> </div> <div class="panel-body"> <ul> <li><a href="/legal-documents/2023-11-02-lawsuit-challenges-federal-rule-ties-providers-hands-efforts-reach-their-communities">Lawsuit Overview</a></li> <li><a href="/press-releases/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands-their">Press Release</a></li> <li><a href="/special-bulletin/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands">Special Bulletin</a></li> <li><a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer">Case Complaint</a></li> <li><a href="/legal-documents/2023-11-02-case-explainer-american-hospital-association-v-rainer">Case Explainer</a></li> <li><a href="/frequently-asked-questions-faqs/2023-11-02-myth-vs-fact-hhs-ocr-online-tracking-rule">Myth vs. Fact Document</a></li> </ul> </div> </div> </div> </div> <div class="row"> <div class="col-md-8"> <h2>Introductions and Summary</h2> <p>1. The șÚÁÏŐęÄÜÁż Association and the Texas Hospital Association (Associations), along with Texas Health Resources and United Regional Health Care System (Hospitals), bring this action because the federal government is threatening to enforce against hospitals and health systems a new rule that is flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy. The rule, promulgated by the U.S. Department of Health and Human Services (HHS), prohibits the use of certain technologies that make healthcare providers’ public webpages more effective in sharing vital information with the community. Yet even as HHS is actively enforcing this new rule against hospitals across the country, the federal government’s own healthcare providers continue to use these purportedly prohibited technologies on their websites. A gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it, the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect. The Court should bar the rule’s enforcement.</p> <p>2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations “strike[] a balance.” <em>Summary of the HIPAA Privacy Rule,</em> U.S. Dep’t of Health & Hum. Servs, https://perma.cc/MCG3-QFHX. The law “protect[s] the privacy of people who seek care and healing,” while “permit[ting] important uses of information.” <em>Id.; see id.</em> (“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.”).</p> <p>3. Hospitals and health systems have long honored the balance HIPAA strikes. They take seriously their obligation to safeguard the privacy of patient records and billing statements. At the same time, they have embraced the federal government’s support for sharing non-private health-related information on their publicly accessible webpages that neither require nor request patients to enter login information for user authentication (an Unauthenticated Public Webpage).</p> <p>4. Now more than ever, the federal government has called on hospitals and health systems to combat “[h]ealth misinformation”—something the U.S. Surgeon General recently described as a “serious threat to public health.” V. Murthy, <em>Confronting Health Misinformation</em> (2021), https://perma.cc/YD2V-4QJE. While always working to protect private patient information, hospitals and health systems are keenly aware of their obligation to fulfill the other side of the HIPAA balance by “shar[ing] accurate health information with the public.” <em>Id.; see generally Understanding Some of HIPAA’s Permitted Uses and Disclosures,</em> U.S. Dep’t of Health & Hum. Servs, https://perma.cc/N7FC-DTW8 (“Information is essential fuel for the engine of health care. Physicians, medical professionals, hospitals and other clinical institutions generate, use and share it to provide good care to individuals, to evaluate the quality of care they are providing, and to assure they receive proper payment from health plans.
 The capability for relevant players in the health care system – including the patient – to be able to quickly and easily access needed information to make decisions, and to provide the right care at the right time, is fundamental to achieving the goals of health reform.”).</p> <p>5. As part of these information-sharing efforts, many hospitals and health systems use third-party technologies to enhance their websites, including in the following ways:</p> <ul> <li><strong>Analytics tools</strong> convert web users’ interactions with hospital webpages into critical data, such as the level and concentrations of community concern on particular medical questions, or the areas of a hospital website on which people have trouble navigating. Website data analytics can tell a hospital how many IP addresses in the past month looked for information about, say, RSV vaccines or diabetes treatment in a particular area, which in turn allows hospitals to more effectively allocate their medical and other resources. These tools also help hospitals ensure that their public-facing webpages are user-friendly, helping community members to more easily navigate to healthcare information so that they can better manage their healthcare. For instance, hospitals can improve the functionality of their websites’ design so that they deliver a maximally seamless experience for individuals with disabilities, facilitating compliance with the Americans With Disabilities Act.</li> <li><strong>Video technologies</strong> allow hospitals to offer a wide range of information to the public, including videos that educate the community about particular health conditions and that allow visitors to virtually tour the facilities where particular procedures are performed.</li> <li><strong>Translation technologies</strong> help non-English speakers access vital healthcare information on hospitals’ webpages.</li> <li><strong>Map and location technologies</strong> provide better information about where healthcare services are available, including embedded applications that provide bus schedules or driving directions to and from a community member’s location.</li> </ul> <p>6. Third-party technologies like these, which typically rely on a visitor’s IP address to function, enable hospitals and health systems to hone their websites’ functionality and the helpfulness of their information. Just as crucially, these technologies allow hospitals and health systems to adjust and publicize information and services in response to public need and thereby improve public health, all without compromising the HIPAA balance.</p> <p>7. In December 2022, however, the Office for Civil Rights (OCR) in HHS precipitously upended the balance that HIPAA and its regulations strike between privacy and information-sharing. Without consulting healthcare providers, third-party technology vendors, or the public at large, the agency issued a sub-regulatory guidance document that has had profound effects on hospitals, health systems, and the communities they serve. <em>See Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates</em> (Bulletin), https://perma.cc/58V6-NTMG.</p> <p>8. In that bolt-from-the-blue “Bulletin,” OCR took the position that when an online technology connects (1) an individual’s IP address with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers, that combination of information (the Proscribed Combination) is subject to restrictions on use and disclosure under HIPAA. For example, if a public-health researcher used her personal computer to search a hospital’s webpage for the availability of dialysis appointments, the technology’s combination of (1) the researcher’s IP address and (2) the visit to a page addressing dialysis appointments would, according to the Bulletin, be subject to HIPAA’s requirements. So too if the technology combined (1) the IP address of an individual who used his personal computer on behalf of an elderly neighbor (2) to read a hospital’s webpage with information about the onset of Alzheimer’s disease.</p> <p>9. Remarkably, it appears that OCR issued the Bulletin without even consulting the federal government’s own website operators, because agencies that are covered entities under HIPAA themselves use the same third-party technologies on their webpages and create the Proscribed Combination. As one of many possible examples, web browser inspection and source tools show that, among other technologies, third-party analytics and advertising tools are present on Veterans Health Administration webpages addressing specific health conditions and healthcare providers, including but not limited to a page describing the symptoms of post-traumatic stress disorder and pointing veterans to treatment resources:</p> <p><img alt="U.S. Department of Veterans Affairs website screencap with red boxes added for emphasis." data-entity-type="file" data-entity-uuid="6e2c6f6d-cbaa-4e01-85eb-274800da9201" src="/sites/default/files/inline-images/US-Department-of-Veterans-Affairs-website-screencap-with-red-highlights_0.png" width="796" height="522"></p> <p><em>See, e.g., Mental Health,</em> U.S. Dep’t of Veterans Affairs, mentalhealth.va.gov/ptsd/index.asp (last visited Oct. 31, 2023) (red boxes added for emphasis).</p> <p><strong><em><a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer">Read the entire case complaint.</a></em></strong></p> </div> <div class="col-md-4"> <p><a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer" target="_blank" title="Click here to download the Case Complaint: AHA, THA, THR, United Health Care System v. Rainer PDF."><img alt="Case Complaint: AHA, THA, THR, United Health Care System v. Rainer page 1." data-entity-type="file" data-entity-uuid="86e9eb85-58ab-4177-bd94-f32f75a79797" src="/sites/default/files/inline-images/Page-1-Case-Complaint-AHA-THA-THR-United-Health-Care-System-v-Rainer.png" width="695" height="900"></a></p> </div> </div> </div> Thu, 02 Nov 2023 10:01:13 -0500 HIPAA /press-releases/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands-their <div class="container"> <div class="row"> <div class="col-md-8"> <p><strong>WASHINGTON</strong> (November 2, 2023) — The șÚÁÏŐęÄÜÁż Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, today sued the federal government to bar enforcement of an unlawful, harmful, and counterproductive rule that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.</p> <p>“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. We cannot understand why HHS created this ‘rule for thee but not for me,’” <strong>said Rick Pollack, AHA President and CEO.</strong></p> <p>Today’s lawsuit challenges a “Bulletin” issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) entitled, <em>“Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”</em> This December 2022 “Bulletin” restricts hospitals from using standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages that address health conditions or health care providers. For example, under HHS’ new rule, if someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties.</p> “Simply put, OCR’s new rule harms the very people it purports to protect,” <strong>Pollack said.</strong> “The federal government’s repeated threats to enforce this unlawful rule tie hospitals’ hands as trusted messengers of reliable health care information.” <p>Hospitals and health systems have long honored the core objectives of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), America’s primary health care privacy law. Congress enacted this law to strike a balance between protecting patients’ health information and ensuring the flow of information needed to provide communities with high quality care. The Bulletin, which HHS issued without consulting health care providers, third-party technology vendors, or the public at large, upsets HIPAA’s careful balance, preventing hospitals from using commonplace web technologies to analyze use of their websites and communicate effectively with the populations they serve.</p> <p>As alleged in the Complaint, HHS’ Medicare.gov, the Department of Defense Military Health System and Defense Health Agency, and various U.S. Veterans Health Administration sites continue to use these third-party technologies despite being covered entities under HIPAA. For example, forensic tools revealed that the Veterans Health Administration uses analytics and advertising tools on a wide range of sites, including online resources that describe the symptoms of post-traumatic stress disorder and point veterans to available treatment options. While dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.</p> <p>Web tools that are ineffective without access to IP-address information include:</p> <div class="row"> <div class="col-md-2"> <p><img alt="Analytics software icon" data-entity-type="file" data-entity-uuid="d94eecc2-1698-4e1a-8392-ca1d38143b56" src="/sites/default/files/inline-images/analytics-software-icon.png" width="72" height="72" class="align-right"></p> </div> <div class="col-md-10"> <p><strong>Analytics software</strong> that converts interactions with hospital web pages into critical data, such as the level and concentration of community concern on particular medical questions or the areas of a hospital website on which people have trouble navigating.</p> </div> </div> <div class="row"> <div class="col-md-2"> <p><img alt="Video technologies icon" data-entity-type="file" data-entity-uuid="c99d2b86-1923-4d0f-a4bf-6bb3127657ca" src="/sites/default/files/inline-images/video-technologies-icon.png" width="72" height="72" class="align-right"></p> </div> <div class="col-md-10"> <p><strong>Video technologies</strong> that allow hospitals to offer a wide range of information and education materials to the public, including visuals that educate the community about particular health conditions and that allow visitors to virtually tour the facilities where particular procedures are performed.</p> </div> </div> <div class="row"> <div class="col-md-2"> <p><img alt="Translation and accessibility services icon" data-entity-type="file" data-entity-uuid="466059d6-72d8-42e1-b590-20405682a5ff" src="/sites/default/files/inline-images/translation-and-accessibility-service-icon.png" width="72" height="72" class="align-right"></p> </div> <div class="col-md-10"> <p><strong>Translation and accessibility services</strong> that help persons with limited English proficiency and people with disabilities access vital health care information on hospitals’ webpages.</p> </div> </div> <div class="row"> <div class="col-md-2"> <p><img alt="Digital maps icon" data-entity-type="file" data-entity-uuid="ef38859b-c02a-4e39-9532-f9a8d52711e2" src="/sites/default/files/inline-images/digital-maps-icon.png" width="72" height="72" class="align-right"></p> </div> <div class="col-md-10"> <p><strong>Digital maps</strong> that provide information about where health care services are available, including embedded applications that provide public transportation schedules or driving directions to and from a community member’s location.</p> </div> </div> <p>The suit alleges that HHS’s new rule exceeds its statutory authority under HIPAA. That statute allows hospitals to rely on third-party tools that capture IP address information because that information cannot reasonably be used to identify the individual whose health care relates to the webpage visit. By reaching beyond the law to restrict use of these common tools on public-facing webpages, OCR exceeded its statutory authority. In addition to exceeding its statutory authority under HIPAA, the suit alleges that OCR unlawfully issued this Bulletin without providing any reasoning supporting its novel legal assertions, without acknowledging the government’s own use of implicated third-party technologies, and without following required notice-and-comment rulemaking processes. Prior to issuing this rule, the federal government did not consult with hospitals and health systems about their use of third-party technologies that depend on the collection of IP addresses or the impact that its new rule would have on patients or communities. Instead, the agency began aggressively threatening regulatory enforcement and serious civil penalties against hospitals and health systems. After attempts to engage with HHS officials to educate them about the impact of their new rule, the AHA determined it was necessary to file suit on behalf of its members to prevent the agency from unlawfully penalizing hospitals.</p> <p>For additional information about the lawsuit, a copy of the complaint can be found at on AHA’s webpage.</p> <div class="row"> <div class="col-md-1"> <p>Contact:</p> </div> <div class="col-md-11"> <p>Colin Milligan, <a href="mailto:cmilligan@aha.org?subject=Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands in Their Efforts to Reach the Communities They Serve">cmilligan@aha.org</a><br> Colleen Kincaid, <a href="mailto:ckincaid@aha.org?subject=Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands in Their Efforts to Reach the Communities They Serve">ckincaid@aha.org</a></p> </div> </div> <p>###</p> <h2>About the șÚÁÏŐęÄÜÁż Association</h2> <p>The șÚÁÏŐęÄÜÁż Association (AHA) is a not-for-profit association of health care provider organizations and individuals that are committed to the health improvement of their communities. The AHA advocates on behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, our clinician partners – including more than 270,000 affiliated physicians, 2 million nurses and other caregivers – and the 43,000 health care leaders who belong to our professional membership groups. Founded in 1898, the AHA provides insight and education for health care leaders and is a source of information on health care issues and trends.</p> <h2>About the Texas Hospital Association</h2> <p>Founded in 1930, the Texas Hospital Association (THA) is the leadership organization and principal advocate for the state’s hospitals and health care systems. Based in Austin, THA enhances its members’ abilities to improve accessibility, quality and cost-effectiveness of health care for all Texans. One of the largest hospital associations in the country, THA represents 452 of the state’s non-federal general and specialty hospitals and health care systems, which employ some 400,000 health care professionals statewide.</p> <h2>About Texas Health Resources</h2> <p>Texas Health Resources is a faith-based, nonprofit health system that cares for more patients in North Texas than any other provider. With a service area that consists of 16 counties and more than 7 million people, the system is committed to providing quality, coordinated care through its Texas Health Physicians Group and 29 hospital locations under the banners of Texas Health Presbyterian, Texas Health Arlington Memorial, Texas Health Harris Methodist and Texas Health Huguley. Texas Health access points and services, ranging from acute-care hospitals and trauma centers to outpatient facilities and home health and preventive services, provide the full continuum of care for all stages of life. The system has more than 4,100 licensed hospital beds, 6,400 physicians with active staff privileges and more than 29,000 employees.</p> <h2>About United Regional Health Care System</h2> <p>United Regional Health Care System is located in Wichita Falls, Texas, and provides comprehensive medical care including inpatient and outpatient services, advanced diagnostics, surgical specialties, and life-saving emergency care to a nine-county service area. We have the area’s only Level II Trauma Center and serve as the Primary Stroke Center for the region. United Regional’s passion is to provide excellence in health care for the communities we serve. To accomplish this passion, the System continues to reinvest in advanced technology, modern facilities, and the recruitment and retention of highly skilled employees and physicians to ensure that the current and future medical needs of the area are met.</p> </div> <div class="col-md-4"> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Related Resources</h3> </div> <div class="panel-body"> <ul> <li><a href="/legal-documents/2023-11-02-lawsuit-challenges-federal-rule-ties-providers-hands-efforts-reach-their-communities">Lawsuit Overview</a></li> <li><a href="/press-releases/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands-their">Press Release</a></li> <li><a href="/special-bulletin/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands">Special Bulletin</a></li> <li><a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer">Case Complaint</a></li> <li><a href="/legal-documents/2023-11-02-case-explainer-american-hospital-association-v-rainer">Case Explainer</a></li> <li><a href="/frequently-asked-questions-faqs/2023-11-02-myth-vs-fact-hhs-ocr-online-tracking-rule">Myth vs. Fact Document</a></li> </ul> </div> </div> </div> </div> </div> Thu, 02 Nov 2023 08:56:55 -0500 HIPAA <div class="container"> <div class="row"> <div class="col-md-8"> <p>The șÚÁÏŐęÄÜÁż Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, today sued the federal government to bar enforcement of an unlawful, harmful, and counterproductive rule that has upended hospitals’ and health systems’ ability to share health care information with the communities they serve, analyze their own websites to enhance accessibility, and improve public health.</p> <p>“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites. We cannot understand why HHS created this ‘rule for thee but not for me,’” said Rick Pollack, AHA President and CEO.</p> <p>Today’s lawsuit challenges a “Bulletin” issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) entitled, <em>“Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”</em> This December 2022 “Bulletin” restricts hospitals from using standard third-party web technologies that capture IP addresses on portions of hospitals’ public-facing webpages that address health conditions or health care providers. For example, under HHS’ new rule, if someone visited a hospital website on behalf of her elderly neighbor to learn more about Alzheimer’s disease, a hospital’s use of any third-party technology that captures an IP address from that visit would expose that hospital to federal enforcement actions and significant civil penalties.</p> <p>Hospitals and health systems have long honored the core objectives of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), America’s primary health care privacy law. Congress enacted this law to strike a balance between protecting patients’ health information and ensuring the flow of information needed to provide communities with high quality care. The Bulletin, which HHS issued without consulting health care providers, third-party technology vendors, or the public at large, upsets HIPAA’s careful balance, preventing hospitals from using commonplace web technologies to analyze use of their websites and communicate effectively with the populations they serve.</p> <p>As alleged in the complaint, HHS’ Medicare.gov, the Department of Defense Military Health System and Defense Health Agency, and various U.S. Veterans Health Administration sites continue to use these third-party technologies despite being covered entities under HIPAA. For example, forensic tools revealed that the Veterans Health Administration uses analytics and advertising tools on a wide range of sites, including online resources that describe the symptoms of post-traumatic stress disorder and point veterans to available treatment options. While dozens of hospitals across the country have received enforcement threats, and hospitals are currently under active investigation by OCR, the federal government has not halted its own use of these vital tools.</p> <p>Web tools that are ineffective without access to IP-address information include analytics software, video technologies that offers the public education and information on health conditions, translation and accessibility services and digital maps among others.</p> <p>The suit alleges that HHS’ new rule exceeds its statutory authority under HIPAA. That statute allows hospitals to rely on third-party tools that capture IP address information because that information cannot reasonably be used to identify an individual whose health care relates to the webpage visit. By restricting use of these common tools on public-facing webpages on this basis, OCR violated HIPAA and has acted without legal authority. In addition, the suit alleges that OCR unlawfully issued this Bulletin without providing any reasoning supporting its novel legal assertions, without acknowledging the government’s own use of implicated third-party technologies, and without following required notice-and-comment rulemaking processes. Prior to issuing this rule, the federal government did not consult with hospitals and health systems about their use of third-party technologies that depend on the collection of IP addresses or the impact that its new rule would have on patients or communities. Instead, the agency began aggressively threatening regulatory enforcement and serious civil penalties against hospitals and health systems. After attempts to engage with HHS officials to educate them about the impact of their new rule, the AHA determined that it was necessary to file suit on behalf of its members to prevent the agency from unlawfully penalizing hospitals.</p> <p><strong>For additional information about the lawsuit and the issue, visit <a href="/legal-documents/2023-11-02-lawsuit-challenges-federal-rule-ties-providers-hands-efforts-reach-their-communities" target="_blank">AHA's lawsuit webpage</a>.</strong></p> <h2>Further Questions</h2> <p>If you have further questions, please contact Chad Golder at <a href="mailto:cgolder@aha.org?subject=Special Bulletin: Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands In Their Efforts to Reach the Communities They Serve">cgolder@aha.org</a>.</p> </div> <div class="col-md-4"> <div class="panel module-typeC"> <div class="panel-heading"> <h3 class="panel-title">Related Resources</h3> </div> <div class="panel-body"> <ul> <li><a href="/legal-documents/2023-11-02-lawsuit-challenges-federal-rule-ties-providers-hands-efforts-reach-their-communities">Lawsuit Overview</a></li> <li><a href="/press-releases/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands-their">Press Release</a></li> <li><a href="/special-bulletin/2023-11-02-hospital-associations-and-hospitals-file-lawsuit-challenging-federal-rule-ties-providers-hands">Special Bulletin</a></li> <li><a href="/legal-documents/2023-11-02-case-complaint-aha-tha-thr-united-health-care-system-v-rainer">Case Complaint</a></li> <li><a href="/legal-documents/2023-11-02-case-explainer-american-hospital-association-v-rainer">Case Explainer</a></li> <li><a href="/frequently-asked-questions-faqs/2023-11-02-myth-vs-fact-hhs-ocr-online-tracking-rule">Myth vs. Fact Document</a></li> </ul> </div> </div> <hr> <p><a href="/system/files/media/file/2023/11/Special-Bulletin-Hospital-Associations-and-Hospitals-File-Lawsuit-Challenging-Federal-Rule.pdf" target="_blank" title="Click here to download the Special Bulletin: Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands In Their Efforts to Reach the Communities They Serve PDF."><img alt="Special Bulletin: Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands In Their Efforts to Reach the Communities They Serve page 1." data-entity-type="file" data-entity-uuid="c3488be6-06a3-4d7f-ab55-cd3d64d32b50" src="/sites/default/files/inline-images/Page-1-Special-Bulletin-Hospital-Associations-and-Hospitals-File-Lawsuit-Challenging-Federal-Rule.png" width="1692" height="2189"></a></p> </div> </div> </div> Thu, 02 Nov 2023 08:23:25 -0500 HIPAA