The Recent Texas Compliance Ruling and Its Implications on OCR Guidance

For healthcare marketers navigating the evolving regulatory landscape, a recent legal decision in Texas clarifies the use of tracking technology within HIPAA constraints. This ruling clarifies how healthcare marketers can harness the power of digital marketing while prioritizing patient data privacy and compliance.

We sat down with Celia Van Lenten, Principal at the law firm Miles & Stockbridge and an expert in healthcare privacy, to get her perspective on the recent Texas ruling and ask her what it means for healthcare marketers.

Here is what Celia had to say about the recent ruling:

Key points from the ruling

1. Judge Mark Pittman of the United States District Court for the Northern District of Texas ruled that the guidance, which banned the use of third-party online tracking technologies on hospitals' public-facing websites, was unlawful. The judge sided with the AHA and other healthcare organizations, stating that the HHS had exceeded its authority.
2. The judge concluded that the “Proscribed Combination” of an IP address and a visit to an unauthenticated webpage containing health information (read: a website that does not require someone to identify themselves) is not protected health information (PHI) under HIPAA.
3. The judge invalidated the guidance specifically for this combination of identifiers only, leaving the rest of the guidance intact.
4. The ruling has implications nationwide, as it is a federal court decision on a federal law issue, not just Texas jurisdiction. 
5. You are still advised to have a Business Associate Agreement (BAA) with your vendors who handle any authenticated parts of your website.
6. The OCR has 60 days to appeal the decision.

Celia explains the legal perspective of these updates.“Judge Pittman’s opinion is specific to what he calls the “Proscribed Combination,” which is that IP address and a visit to an unauthenticated website with health information,” she says. “So it’s really that piece in his conclusion was creating a new different legal obligation that existed before the first guidance was passed.”

Understanding the legal battle and how we got here

In December 2022, the Department of Health and Human Services' Office for Civil Rights (OCR) released an important bulletin providing updated guidance on HIPAA regulations. This clarification emphasized that using third-party tracking tools, such as Meta's Pixel and Google Analytics, on healthcare websites (including patient portals) is considered a violation of HIPAA regulations.

Following this announcement, healthcare organizations were required to immediately halt any marketing efforts that involved retargeting, look-alike audiences, and geo-fencing. As a result, many marketing departments were left without access to valuable data regarding website traffic and user engagement.

In response, the American Hospital Association (AHA), in combination with the Texas Hospital Association and other organizations, filed a lawsuit against the OCR, arguing that the expansion of HIPAA's definition of individually identifiable health information was beyond its legal authority.  The AHA and other healthcare organizations challenged the rule, arguing that it hindered their ability to share information and improve access to care. This led to the vacating of part of the guidance on June 20th, 2024.

What is an unauthenticated public-facing website? 

One important part of the regulation focuses on IP identifiers and how websites are categorized:

• Unauthenticated public-facing web pages: These are web pages that anyone can access without needing to log in or provide any personal information.
• Authenticated web pages: These are pages where visitors need to log in or provide their information, such as a patient portal or when booking an appointment. This process verifies the user's identity, making it an authenticated web page.

Understanding the distinction between unauthenticated public-facing web pages and authenticated web pages is crucial for healthcare organizations to secure patient information. 

“We need to make sure that any vendors that are operating authenticated portions of your website are only engaging in permissible uses of the information they are collecting on that website,” Celia says.

Reinforced importance of BAAs

While these changes will adjust how marketers track overall, the part of the guidelines that remains intact reinforces the need for a BAA when handling vendors.

“Based on those conclusions, Judge Pittman vacated the guidance as it related to the Proscribed Combination only, so the rest of it stands,” Celia says. “But honestly, the rest of it is really not controversial at all. You need to have a BAA with your EMR [electronic medical record] vendor or whoever’s standing up your patient portal.”

BAAs are crucial for healthcare marketers to ensure compliance with HIPAA regulations. Marketers that handle PHI on behalf of healthcare providers, such as email marketing companies or social media advertising platforms, are considered business associates and need to sign a legally binding BAA to safeguard the privacy and security of this information. Failure to comply with HIPAA regulations can result in severe penalties and fines, making BAAs an essential tool for healthcare marketers to protect both their clients and their own businesses.

Impact on healthcare marketing evolution

The landscape of healthcare, especially healthcare regulation, has significantly changed from 1996 to today. Previously, patients would need to spend considerable time locating and scheduling appointments. However, with the advent of technology, individuals facing health concerns can find relevant information in just a few moments. 

Healthcare providers have also replaced paper records with electronic patient records (EPRs) stored securely on Cloud-based servers, enabling ease of sharing with technology partners for enhanced collaboration across platforms while adhering to HIPAA guidelines.

Following the 2022 bulletin, many health systems and hospitals swiftly updated their policies on compliance and usage according to the OCR updates. Even though the guidance is partially rolling back, the updates brought some good changes to health systems.

“One very good thing from the last few years has been that all of those stakeholders have been coming together to develop a more formalized governance framework about what information was going in their websites, what tracking technologies were being used, what are we doing with this information and why, and what third-parties were getting access to this information and why,” Celia explains.

Perspectives on the ruling

AHA General Counsel expressed satisfaction with the Court's decision, highlighting the importance of being able to rely on these technologies to provide communities with vital healthcare information.

Additionally, numerous hospital associations and health systems supported the AHA in this legal battle, asserting that the online tracking bulletin was illegal and detrimental to patients and communities. The judge's ruling emphasized that metadata from users' searches on hospitals' websites does not fall under HIPAA's protection of individually identifiable health information.

Looking ahead: What may unfold next

As for a potential appeal, that decision may take some time.

“If HHS does appeal, it would go to the Fifth Circuit Court of Appeals,” Celia explains. “And it will take quite a while before we would get an opinion from that court.”

As Celia alludes, the part of the guidance that remains still requires healthcare marketers to keep their vendors accountable. The shift towards enhanced privacy is evident, requiring a cohesive approach between marketing, IT and compliance for effective technology use in healthcare. 

“The tides are moving to more privacy, not less,” Celia says. “Going back to how things were before might not necessarily be the right path.”

Navigating healthcare regulations with confidence

Partnering with an agency dedicated solely to the industry can make all the difference. With a wealth of knowledge accumulated over 30 years, our team is equipped to ensure HIPAA compliance and provide invaluable insights. Trusting in a marketing partner with a singular focus on healthcare means having peace of mind that your organization’s marketing strategies are not only effective but also aligned with industry regulations and standards. Let us be your trusted ally in achieving your healthcare marketing goals.

[Disclaimer: The content of this article and the included video do not constitute legal advice and are provided for informational purposes only.]