Case Complaint: AHA, THA, THR, United Health Care System v. Rainer

Introductions and Summary

1. The American Hospital Association and the Texas Hospital Association (Associations), along with Texas Health Resources and United Regional Health Care System (Hospitals), bring this action because the federal government is threatening to enforce against hospitals and health systems a new rule that is flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy. The rule, promulgated by the U.S. Department of Health and Human Services (HHS), prohibits the use of certain technologies that make healthcare providers’ public webpages more effective in sharing vital information with the community. Yet even as HHS is actively enforcing this new rule against hospitals across the country, the federal government’s own healthcare providers continue to use these purportedly prohibited technologies on their websites. A gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it, the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect. The Court should bar the rule’s enforcement.

2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations “strike[] a balance.” Summary of the HIPAA Privacy Rule, U.S. Dep’t of Health & Hum. Servs, https://perma.cc/MCG3-QFHX. The law “protect[s] the privacy of people who seek care and healing,” while “permit[ting] important uses of information.” Id.; see id. (“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.”).

3. Hospitals and health systems have long honored the balance HIPAA strikes. They take seriously their obligation to safeguard the privacy of patient records and billing statements. At the same time, they have embraced the federal government’s support for sharing non-private health-related information on their publicly accessible webpages that neither require nor request patients to enter login information for user authentication (an Unauthenticated Public Webpage).

4. Now more than ever, the federal government has called on hospitals and health systems to combat “[h]ealth misinformation”—something the U.S. Surgeon General recently described as a “serious threat to public health.” V. Murthy, Confronting Health Misinformation (2021), https://perma.cc/YD2V-4QJE. While always working to protect private patient information, hospitals and health systems are keenly aware of their obligation to fulfill the other side of the HIPAA balance by “shar[ing] accurate health information with the public.” Id.; see generally Understanding Some of HIPAA’s Permitted Uses and Disclosures, U.S. Dep’t of Health & Hum. Servs, https://perma.cc/N7FC-DTW8 (“Information is essential fuel for the engine of health care. Physicians, medical professionals, hospitals and other clinical institutions generate, use and share it to provide good care to individuals, to evaluate the quality of care they are providing, and to assure they receive proper payment from health plans.… The capability for relevant players in the health care system – including the patient – to be able to quickly and easily access needed information to make decisions, and to provide the right care at the right time, is fundamental to achieving the goals of health reform.”).

5. As part of these information-sharing efforts, many hospitals and health systems use third-party technologies to enhance their websites, including in the following ways:

• Analytics tools convert web users’ interactions with hospital webpages into critical data, such as the level and concentrations of community concern on particular medical questions, or the areas of a hospital website on which people have trouble navigating. Website data analytics can tell a hospital how many IP addresses in the past month looked for information about, say, RSV vaccines or diabetes treatment in a particular area, which in turn allows hospitals to more effectively allocate their medical and other resources. These tools also help hospitals ensure that their public-facing webpages are user-friendly, helping community members to more easily navigate to healthcare information so that they can better manage their healthcare. For instance, hospitals can improve the functionality of their websites’ design so that they deliver a maximally seamless experience for individuals with disabilities, facilitating compliance with the Americans With Disabilities Act.
• Video technologies allow hospitals to offer a wide range of information to the public, including videos that educate the community about particular health conditions and that allow visitors to virtually tour the facilities where particular procedures are performed.
• Translation technologies help non-English speakers access vital healthcare information on hospitals’ webpages.
• Map and location technologies provide better information about where healthcare services are available, including embedded applications that provide bus schedules or driving directions to and from a community member’s location.

6. Third-party technologies like these, which typically rely on a visitor’s IP address to function, enable hospitals and health systems to hone their websites’ functionality and the helpfulness of their information. Just as crucially, these technologies allow hospitals and health systems to adjust and publicize information and services in response to public need and thereby improve public health, all without compromising the HIPAA balance.

7. In December 2022, however, the Office for Civil Rights (OCR) in HHS precipitously upended the balance that HIPAA and its regulations strike between privacy and information-sharing. Without consulting healthcare providers, third-party technology vendors, or the public at large, the agency issued a sub-regulatory guidance document that has had profound effects on hospitals, health systems, and the communities they serve. See Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (Bulletin), https://perma.cc/58V6-NTMG.

8. In that bolt-from-the-blue “Bulletin,” OCR took the position that when an online technology connects (1) an individual’s IP address with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers, that combination of information (the Proscribed Combination) is subject to restrictions on use and disclosure under HIPAA. For example, if a public-health researcher used her personal computer to search a hospital’s webpage for the availability of dialysis appointments, the technology’s combination of (1) the researcher’s IP address and (2) the visit to a page addressing dialysis appointments would, according to the Bulletin, be subject to HIPAA’s requirements. So too if the technology combined (1) the IP address of an individual who used his personal computer on behalf of an elderly neighbor (2) to read a hospital’s webpage with information about the onset of Alzheimer’s disease.

9. Remarkably, it appears that OCR issued the Bulletin without even consulting the federal government’s own website operators, because agencies that are covered entities under HIPAA themselves use the same third-party technologies on their webpages and create the Proscribed Combination. As one of many possible examples, web browser inspection and source tools show that, among other technologies, third-party analytics and advertising tools are present on Veterans Health Administration webpages addressing specific health conditions and healthcare providers, including but not limited to a page describing the symptoms of post-traumatic stress disorder and pointing veterans to treatment resources:

See, e.g., Mental Health, U.S. Dep’t of Veterans Affairs, mentalhealth.va.gov/ptsd/index.asp (last visited Oct. 31, 2023) (red boxes added for emphasis).

Read the entire case complaint.