Regulatory action and class action lawsuits related to pixels and other website technologies continued to surge in 2023 and 2024, particularly in the healthcare industry. The FTC and HHS OCR doubled down on their previously issued guidance, sending joint letters to specific hospital systems and telehealth providers warning that use of third-party web technologies may result in impermissible disclosures of individuals' PHI and ominously stressing that "[b]oth agencies are closely watching developments in this area." Hospitals went on the offensive against HHS OCR's pixel guidance, and at the same time we saw more class action settlements related to hospital systems' use of web tracking technology. The FTC announced significant settlements with Internet-based healthcare providers and also issued a notice of proposed rulemaking to amend the existing health breach notification rule to focus significantly on entities' (not subject to HIPAA) sharing of website visitor information with third parties. All told, 2023 and 2024 have given 2022 a run for its money as the reigning "year of the pixel."
OCR and the FTC Double Down
As anticipated, regulatory focus on website technologies and health-related information did not let up in 2023, as federal regulators began threatening and engaging in enforcement actions related to third-party web technologies.
- Recap: Following the 2022 Dobbs decision, several state and federal regulators scrambled to give consumers, health apps and HIPAA-covered entities admonishments and guidance on the risks and limitations of third-party web technologies. In December 2022, HHS OCR issued a bulletin asserting that an IP address collected on a HIPAA-covered entity's website or mobile app generally is PHI, evenif the individual does not have an existing relationship with the covered entity and even if the information does not include specific treatment or billing information, like dates and types of healthcare services. In early 2023, the FTC issued a series of guidance pieces addressed to entities collecting, using or disclosing health-related information. The FTC pointed to its recent enforcement actions to demonstrate how the use of third-party web technologies may violate the FTC's Health Breach Notification Rule, and it warned that the agency would continue to investigate health technology companies that mislead consumers about data anonymization and data sharing.
- February - May 2023: The FTC fined GoodRx ($1.5 million), GoodRx ($7.8 million), and Premom ($100,000) for their pixel practices. The crux of the FTC's allegations was that GoodRx misrepresented to consumers that it did not share health information with advertisers or any third parties when, in fact, the company did so. The FTC alleged that not only was this a deceptive practice under FTC rules but the disclosure to the advertisers and other web technology vendors required notice under the Health Breach Notification Rule, which GoodRx also did not do. Our coverage of the GoodRx settlement can be found here.
- March 2023: The FTC fined BetterHelp $7.8 million for its allegedly misleading statements about how BetterHelp was sharing its users' information with third-party website technologies. While the information BetterHelp maintained did not constitute a "health record" to bring it under the Health Breach Notification Rule, the remainder of the complaint's allegations against BetterHelp were very similar to those levied against GoodRx. The FTC made clear it was watching how entities described their web technology uses and disclosures and would levy heavy fines for inaccuracies. Our coverage of the BetterHelp settlement can be found here.
- May 2023: The FTC issued a Notice of Proposed Rulemaking for revisions to the existing FTC Health Breach Notification Rule. The draft rule, which went into effect in April 2024, focused significantly on when disclosures of health information to a third-party web technology vendor constitute a breach under the Health Breach Notification Rule. Our coverage of the final rule can be found here. In the same month, the FTC fined Premom (the developer of a fertility-tracking app) $100,000 for its adtech practices. Again, the allegations were very similar to those levied against GoodRx.
- July 2023: HHS OCR and the FTC sent a joint letter to approximately 130 hospital systems and telehealth providers reiterating previous guidance regarding the use of third-party website technologies and "strongly encourag[ing]" recipients "to review" and "take actions" in light of such guidance. In a press release regarding the joint letters, OCR Director Melanie Fontes Rainer stated that OCR "continues to be concerned" about hospitals' use of these technologies and stated that the agency "will use all of its resources to address this issue." The press release also confirmed that the agency has "active investigations nationwide to ensure compliance with HIPAA," following the December 2022 bulletin.
- September 2023: HHSOCR publicly released all the July 2023 warning letters, including the names of all hospital systems and telehealth providers, many of which were involved in ongoing litigation or have since been sued. HHS OCR and the FTC did not explain how they selected letter recipients or why they chose to later publicly release the letters, effectively pouring gas on the class action fire.
- December 2023: State regulators also stayed involved, opening new investigations against health industry entities related to third-party web technologies, often citing investigative reports and HHS OCR or FTC guidance to allege potential violations of state consumer protection laws.
AHA Pushes Back
In November 2023, the American Hospital Association (AHA), the Texas Hospital Association, and two healthcare providers, Texas Health Resources and United Regional Health Care System, filed a lawsuit, AHA, et. al v. Becerra, et. al., in Texas federal court seeking to enjoin the government's enforcement of the December 2022 OCR bulletin (the AHA Lawsuit). The AHA Lawsuit argued that the bulletin amounted to a new rule without the required rulemaking, exceeding its statutory and constitutional authority and harming "the very people it purports to protect" along the way. AHA and its co-plaintiffs argued that the bulletin severely restricted hospitals' ability to rely on common third-party technologies used to analyze their websites and communicate reliable, accurate health information to the communities they serve. The result, the plaintiffs alleged, was that sites promoting disinformation (not regulated by HIPAA) would continue to leverage web technologies to ensure significant visibility on the internet, steadily eclipsing the reliable public health messaging originating from covered entities barred from using the same tools.
In January 2024, 30 healthcare entities joined in an amicus brief in support of motion for summary judgment filed by plaintiffs in the AHA Lawsuit. In response, in April 2024, HHS OCR issued a revised bulletin with additional guidance in an attempt to defeat the motion.
In June 2024, the court ruled in favor of the plaintiffs, agreeing that the HHS OCR bulletins' restriction on the use of third-party web technologies that capture IP addresses on portions of providers' public-facing webpages were unlawful rulemaking. The court concluded that "(1) an individual's IP address [combined] with (2) a visit to [an unauthenticated public webpage] addressing specific health conditions or healthcare providers" – the "Proscribed Combination" – is not individually identifiable health information (IIHI) under HIPAA. The court vacated the portions of the bulletin that addressed the use of the Proscribed Combination.
IIHI is defined under HIPAA as information that (1) relates to an individual's past, present or future physical or mental health or condition, their receipt of healthcare, or their payment for healthcare and (2) "identifies the individual" or provides "a reasonable basis to believe that the information can be used to identify the individual." The court explained that the Proscribed Combination fails on both the "relates to" prong and the "identifies" prong of the definition of IIHI. The court reasoned that while a visit to a healthcare provider's public website is "indicative of" or "might relate" to an individual's PHI, this is not enough to "relate to" an individual's health. As a result, the court concluded that "the Proscribed Combination facially exceeds HIPAA's unambiguous text," and thus the bulletin was an unlawful attempt to promulgate a new rule without proper rulemaking, in clear excess of HHS' authority under HIPAA. The court thus granted the plaintiffs' request for vacatur as to the portions of the bulletin related to the Proscribed Combination.
HHS OCR opted not to appeal the court's ruling. Our full coverage on the ruling can be found here.
Stay tuned for part two of this blog post in which we will discuss the overturn of the Chevron deference, the quest for compliant use of third-party technologies, and privacy class actions related to tracking technologies in 2023 and 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.