In a recent court case ruling in Texas, American Hospital Association et al. v. Xavier Becerra, a significant ruling was made regarding HIPAA’s privacy protections. NOTE: This post was updated after a closer look at the opinion.
In a nutshell, the ruling that hospitals can share patient browsing data to Meta, TikTok and other third parties via adtech if patients view health related content, voiding part of OCR’s ban on tracking technologies.
There is hope though. It’s only for page views, and does not allow authenticated portals to leak your private data from portals. The judge’s opinion only states that part of OCR’s guidance is unlawful. It is a relief to know that it is merely a “vacatur” of one provision … not throwing the entire guidance on surveillance trackers out.
Specifically the judge said the pages views alone are not a violation of HIPAA if:
(1) an individual’s IP address with (2) a visit to a page addressing specific health conditions or healthcare providers.
From a patient’s perspective, it will be important share the research on unauthenticated webpages (device registration, appointment requests, etc) that do have trackers installed and ask that OCR continues to clarify installing trackers on such pages is clearly a violation of HIPAA.
The case originated from a wave of federal and state class action lawsuits for leaking data from hospital patient portals. As we navigate this new landscape, it’s crucial to understand what this means for patient privacy and what actions we can take to ensure our voices are heard.
A Ruling Against The Office of Civil Rights
The Department of Health and Human Services (HHS) issued new guidance in 2022 suggesting that combining an IP address with visits to health-related websites could count as Individually Identifiable Health Information (IIHI) under HIPAA. The ban on adtech was an enforcement of HIPAA’s privacy protections to stop data from leaking to third parties as patients navigate different websites online – including patient portals. Facing a wave of federal and state class action lawsuits, the American Hospital Association argued that this enforcement bulletin imposed new, burdensome responsibilities on hospitals without proper procedural steps.
The court sided with the hospitals, stating that these new rules in part created additional obligations not previously required under HIPAA. But the full ban on trackers still stands – if tracking technologies are used to leak anything beyond page views.
The judge sided with hospitals, but only on part of the guidance.
Why This Matters to Patients
There are real consequences for patient communities and the public who are targeted with adtech in healthcare without any safeguards. It’s no secret that we have a medical misinformation problem that is fueled by adtech – and by the browsing data we share with ad companies. Many patient communities argue it’s time to end Pharma advertising on social media.
No matter how well intentioned the HIPAA covered site may be, the next advertiser to come along can also target the same patient with scams, snake oil ads, and medical misinformation. Adtech on social media exploits patients by design. The way trackers are installed, and specific information gathered varies widely depending on the type of tracker, type of page, and ways a patient can be targeted. Let’s rethink how we reach patient communities online responsibly, and find better ways.
Actions Patients Can Take
As patients, we have a vested interest in ensuring our health information is protected. Here are some steps you can take to make an impact:
- Advocate for Stronger Protections: Join us for World Patient Safety Day in DC September 16th-17th! Make your voice heard through letters, emails, and phone calls.
- Stay Informed: Keep up-to-date with developments on this case. Subscribe to our newsletter and follow relevant organizations on social media to stay informed about new regulations and advocacy opportunities.
- Engage in Public Comment: When new regulations are proposed, agencies often open them up for public comment. Participate in these opportunities to voice your support for stronger privacy measures.
- Educate Your Community: Raise awareness about the importance of digital health privacy within your community. Host informational sessions, share articles on social media, and discuss these issues with friends and family.
The Path Forward
The recent ruling is a win for hospitals, but it doesn’t completely void the ban on trackers. We must find a path to balance patient privacy and safety in light of this new ruling. As technology evolves, so must our approach to protecting health information.
While the court’s decision provides temporary relief to hospitals, it’s crucial that patients continue to advocate for our health privacy & digital rights. Our health information is incredibly personal and sensitive, deserving of the highest level of protection – because this data can be used against us or even weaponized. By taking action and staying engaged, we can work towards a future where our digital health information is as secure as our trust in the healthcare system.
The recent HIPAA ruling is a wake-up call when courts rule in favor of financial interests over patient safety. Let’s ensure that progress in healthcare technology doesn’t come at the expense of our health privacy. Together, we can influence change and protect our digital rights, safety, & health privacy.
Discover more from Light Collective
Subscribe to get the latest posts sent to your email.
One Comment