backHHS Abandons Appeal of AHA’s Lawsuit Challenging HHS Website-Tracking Guidance
Last week, HHS filed a motion asking the Fifth Circuit’s permission to voluntarily dismiss its appeal of a District Court order directing HHS to rescind its guidance restricting hospitals’ ability to track online traffic to their websites. The District Court found in favor of the American Hospital Association’s (AHA) challenge to HHS’ web-tracking guidance.
In 2022, HHS (through the Office for Civil Rights) issued guidance that broadened the definition of what types of information could be considered “individually identifiable health information” under HIPAA that would trigger a covered entity’s obligation to abide by HIPAA when using online tracking technologies. HIPAA defines individually identifiable health information as information that “relates to . . . an individual” and “identifies the individual” or “with respect to which there is a reasonable basis to believe the information can be used to identify the individual.” Protected health information is individually identified health information that is collected or maintained by a covered entity or business associate.
The HHS guidance provided that when an online tracking technology connects the following two elements, such combined information constitutes individually identifiable health information: (1) an IP address with (2) a visit to an unauthenticated public webpage addressing health conditions or healthcare providers. After AHA challenged HHS’ 2022 guidance, HHS revised the guidance page to soften the rule by changing the second element to “a visit to a UPW [unauthenticated public webpage] with the intent to address the visitor’s specific health conditions or healthcare providers.”
The AHA challenged the HHS guidance on the basis that HHS exceeded its authority when it issued the guidance and violated the Administrative Procedure Act. HHS argued that the guidance was not a “final agency action” and HHS should win on the merits because: (1) the guidance was consistent with HIPAA’s definition of individually identifiable health information, (2) the guidance was not “arbitrary and capricious,” and (3) HHS had the authority to issue the guidance. Both parties moved for summary judgment and the District Court granted AHA’s motion in part, finding that the HHS guidance created new substantive legal obligations for covered entities.
The District Court found that it had jurisdiction because the HHS guidance amounted to final agency decision-making that created new legal rights, obligations, and consequences. The court found it persuasive that the guidance created new obligations because most covered entities had not been treating this type of website tracking activity as subject to HIPAA. The court also noted that a visit to a UPW that is specific to a certain health condition does not make that information individually identifiable health information because the visit can be merely “indicative” of a person’s individually identifiable health information. For example, a person could be visiting a website about dialysis, but the individual could be visiting for any number of reasons that are not related to their own health status or treatment such as researching dialysis for a school paper or visiting on behalf of another person on dialysis. The court found that the subjective intent element was unworkable and broadened the definition of individually identifiable health information beyond what was contemplated by HIPAA and, therefore, must be rescinded. The other aspects of the website-tracking guidance were not affected by the decision.
A copy of the District Court’s Order is available here. The full text of HHS’ motion is available here. HHS’ guidance is available here.
Reporter, Taylor Whitten, Sacramento, +1 916 321 4815, twhitten@kslaw.com.
Federal Agencies Issue Warning Regarding Iran-Based Cyber Security Threats to U.S. Healthcare Entities
On August 28, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA), together with the FBI and Department of Defense Cyber Crime Center, issued an advisory to U.S. organizations, including healthcare organizations, warning that Iran-backed malicious cyber actors are targeting U.S. organizations to obtain access to their networks in order to exploit them for future ransomware attacks (the Advisory). The Advisory provides the threat actor’s known indicators of compromise and tactics, techniques, and procedures and recommends various mitigation measures to reduce the likelihood and impact of ransomware incidents.
FBI investigations conducted as recently as August 2024 have found that cyber actors like “Pioneer Kitten” are connected with the Government of Iran and linked to an Iranian information technology company. Their malicious cyber operations seek to obtain and maintain technical access to U.S. organization’s networks to enable future ransomware attacks. The actors then offer to sell full domain control privileges and admin credentials to numerous other bad actors worldwide.
The federal agencies encourage critical infrastructure organizations to review and implement the mitigations provided in the Advisory to improve their cybersecurity posture based on the Iranian cyber group’s activity. The mitigation measures listed in the Advisory contain technical details and identify vulnerable devices and software.
The Advisory is located here. CISA’s press release regarding the Advisory is here.
Reporter, Ariana Fuller, Los Angeles, +1 213 443 4342, afuller@kslaw.com.
Also in the News
HHS Awards $558 Million to Maternal Health Programs
On August 27, 2024, HHS announced more than $558 million in funding to improve maternal health and reduce the nation’s high mortality rate. More than $440 million of the funding is dedicated to expanding voluntary, evidence-based maternal, infant, and early childhood home visiting services for eligible families across the country. Additionally, the CDC announced an investment of $118.5 million over five years to increase the public health infrastructure to better identify and prevent pregnancy-related deaths. HHS’ press release regarding the award is available here.