Case Explainer: American Hospital Association v. Rainer

What is this case about?

American Hospital Association (AHA) v. Rainer concerns a new rule from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that severely restricts hospitals’ ability to rely on common third-party technologies that they use to analyze their websites and communicate reliable, accurate health information to the communities they serve. A massive overreach by the federal bureaucracy, the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.

Without soliciting input or feedback from the public or health care providers, and without following legally required notice-and-comment rulemaking processes, HHS-OCR issued this new rule in December 2022 and has since aggressively threatened regulatory enforcement and serious civil penalties against hospital systems and telehealth providers. The AHA, alongside the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, has filed a lawsuit in federal court seeking to enjoin the government’s enforcement of this new rule (known as the “Bulletin”).

What’s at stake?

The AHA, along with its co-plaintiffs in this case, allege that the OCR Bulletin is unlawful, harmful, and counterproductive. That new rule ties hospitals’ hands when it comes to using their websites to reach the communities they serve with important and truthful health information, and it upsets the careful balance that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — America’s primary health care privacy law — strikes between privacy-protection and information-sharing.

Providers are now unable to use third-party technologies to enhance their websites and better reach members of their communities. Web tools that are ineffective because of the new rule include:

These third-party technologies are so essential that the federal government itself uses them for agency web pages that are covered entities under HIPAA — including HHS’ Medicare.gov, Tricare’s tricare.mil, and various Veterans Health Administration sites. For example, forensic tools indicate that the Veterans Health Administration uses analytics and advertising tools on a wide range of sites, including online resources describing the symptoms of post-traumatic stress disorder and pointing veterans to available treatment options.

Background and Case History

• Understanding OCR’s Bulletin: In December 2022, OCR released new guidance entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” which restricts hospitals from using third-party technologies that capture IP addresses on the portions of hospitals’ public-facing webpages that address health conditions or health care providers. Broadly treating IP addresses as protected information under HIPAA, this new rule subjects hospitals to enforcement actions and civil penalties under HIPAA if they do not comply with OCR’s new rule, forcing providers to strip their websites of these valuable technologies. OCR has since sent letters directly to hospitals threatening enforcement actions if they do not comply with the guidance, and OCR officials have publicly stated that they are conducting investigations into hospitals and health systems across the country to highlight its message.
• Defining Private Health Data Under HIPAA: HIPAA prohibits health care providers from disclosing information that relates to a particular individual’s health, care, or payment for care, and that could reasonably be used to identify the same individual. OCR’s Bulletin provides no basis or evidence suggesting that an IP address’s web visit can be used to identify the individual whose health, care, or payment for care actually relates to the web visit. For example, someone may visit a hospital’s public-facing website to search for information on behalf of a family member, friend, or neighbor. Or that person may just have general curiosity about a health-related topic in the news. When she visits a hospital’s website and necessarily provides her IP-address—as all web visitors do—she is not disclosing private information within the statutory meaning of HIPAA. By reaching beyond the law to forbid hospitals from using these tools on public-facing webpages, OCR exceeded its statutory authority. In fact, one federal court in Illinois has already held that OCR’s rule “goes well beyond the meaning of what the [HIPAA] statute can bear.” Kurowski v. Rush Sys. for Health, 2023 WL 4707184, at *4 (N.D. Ill. July 24, 2023).
• Legally Required Reasoning, Rulemaking Process: OCR unlawfully issued the Bulletin without providing any reasoning supporting its novel legal assertions or acknowledging the government’s own use of implicated third-party technologies by agencies that are covered entities under HIPAA. Further, prior to issuing its new rule, OCR did not consult hospitals and health systems about their use of online technologies or the impact that its new rule would have on potential patients or community members, and therefore it failed to follow the legally required notice-and-comment rulemaking process. The AHA sought to educate OCR about the widespread adverse impacts of this rule. After several months of outreach, the AHA was finally given an audience with OCR, but OCR refused to address any of the concerns raised by the AHA. Instead, OCR and the Federal Trade Commission sent letters to 130 hospitals (including Plaintiff Texas Health Resources) and telehealth providers threatening enforcement action, and later publicized the names of the letter-recipients on the agencies’ websites.
• The AHA’s Objectives in Court: Through this lawsuit, the AHA is asking the district court to prevent OCR from enforcing this unlawful rule, so that the HIPAA balance is restored. More specifically, plaintiffs are seeking (1) declaratory judgment that IP addresses are not considered individually identifiable health information under statutory and regulatory definitions, (2) a permanent freeze on OCR’s enforcement of this rule, and (3) further relief that the court may deem just and proper — including, but not limited to, reasonable fees and costs.

About the American Hospital Association

The American Hospital Association (AHA) is a not-for-profit association of health care provider organizations and individuals that are committed to the health improvement of their communities. The AHA advocates on behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, our clinician partners – including more than 270,000 affiliated physicians, 2 million nurses and other caregivers – and the 43,000 health care leaders who belong to our professional membership groups. Founded in 1898, the AHA provides insight and education for health care leaders and is a source of information on health care issues and trends. For more information, visit the AHA website at www.aha.org. For media inquiries, please contact the AHA’s Senior Vice President, Communications Alicia Mitchell: amitchell@aha.org.