Dept. of Health & Human Services drops legal cookie fight: A loss for patient privacy?

In a significant legal development, the Department of Health and Human Services (HHS) recently dropped its appeal against a court ruling that overturned its restrictions on the use of web tracking technologies by healthcare providers.  

This decision marks a notable victory for hospitals and other health services, allowing them to continue using these tools to enhance user experience and access to care. However, this legal win raises critical concerns about patient privacy in the digital age.  

As hospitals celebrate their newfound freedom to utilize tracking technologies, the question remains: Is this a loss for patient privacy? This blog delves into the implications of the ruling, exploring the delicate balance between utilizing tracking technologies and the protection of sensitive patient information. 

Background to the case

In December 2022, the Department of Health and Human Services (HHS) updated its HIPAA guidance, raising  concerns surrounding tracking technologies on healthcare websites. According to the guidance, the HHS highlighted how, with the use of web trackers, identifiers (such as IP addresses) could be attributed to Protected Health Information (PHI) when combined with health information page URLs and button text. 

This combination of data, referred to as the ‘Proscribed Combination’, was met with backlash from The American Hospital Association (AHA) and others in November 2023, who filed a federal lawsuit against the HHS guidance. The AHA argued that the combination of a user’s IP address and website visit data is not enough to constitute PHI under the Health Insurance Portability and Accountability Act (HIPAA).  

Additionally, the AHA argued that prohibiting the use of tracking technologies would restrict efforts to enhance access to care. These technologies are often used by healthcare providers to analyze patient behaviors, such as frequently visited webpages, to provide relevant information to patients. 

Fast forward to June this year, the court sided with the AHA and declared the HHS December 2022 guidance as overstepping its authority, meaning that healthcare providers can go on using tracking technologies to enhance access to care and deliver more insightful patient experiences on their websites. 

Following this announcement, the HHS appealed the court’s ruling in August, but the appeal was rescinded shortly afterward. And whilst healthcare providers continue to employ tracking technologies within their websites, there are some red flags that cannot be ignored in regards to the blurred lines of HIPAA guidance, and the underlying risk to patient privacy. 

What this means for patient data: Risks and considerations

In most, if not all, modern day websites, tracking technologies are used to monitor the online activity of individual visitors. Using key insights from data gathered, organizations can track the performance of their website, monitor customer trends and behaviors, and implement improvements to user experience. A key asset for any marketeer, website tracking is essential in delivering insightful user experience and personalization to consumers. 

In the case of healthcare providers, however, concerns about the sharing of website tracking information with third-parties, such as technology companies, social media, and advertising firms, have arisen. These concerns highlight the possibility of inferred health data being gathered from tracking technologies, piecing together website visit information with other third-party data to ultimately reveal an individual’s healthcare information. 

The importance of compliance  

From a privacy perspective, this situation poses a significant risk to patient health data, raising serious concerns about the importance of compliance. The potential for third parties to aggregate and analyze health information only underscores the need for stringent data protection measures. Without them, healthcare providers can risk damaging patient trust, and jeopardizing their reputation.  

Patient perspectives on health data 

In our recent research report, Patient Perspectives on Health Data, it was revealed that a whopping 72% of patients are apprehensive about the potential misuse of their health information by external entities, and 6 in 10 believing that healthcare providers are not keeping up with new data privacy regulations. Not only this, but it was recorded that 92% of Americans believe that explicit opt-in consent should be a mandatory requirement for sharing health data.  

Collecting patient data without consent poses significant risks, including legal repercussions, loss of patient trust, and potential data breaches. This can result in sensitive health data being exposed or misused, causing harm to patients and further eroding trust in the healthcare system. Therefore, obtaining patient consent is crucial for maintaining legal compliance, ensuring data security, and fostering a trustworthy healthcare environment. 

Why is compliance important for healthcare organizations?

If anything can be gathered from these findings, it is that healthcare providers must do more to encourage data confidence with their patients, starting with implementing thorough privacy practices that align with regulation.  

Aside from dodging legal penalties for non-compliance, adhering to laws such as GDPR and HIPAA can reap significant benefits for healthcare organizations, starting with enhanced patient trust and loyalty. By demonstrating a commitment to protecting sensitive health information, healthcare providers can foster a sense of security and reliability among patients. 

Moreover, compliance can lead to improved data management practices, reduced risk of data breaches, and a stronger reputation in the industry. Collectively, these benefits can therefore contribute to a more robust and trustworthy healthcare system. 

Why consent matters 

Limitations of HIPAA

One point that the HHS case has raised is the limitations of HIPAA in light of modern technological innovations. HIPAA, enacted nearly two decades ago, does not account for the modern means of healthcare that we now have in place, including digital health information, mobile health apps, and wearable health tech. 

This revelation underscores the need for updated regulations that can effectively safeguard privacy in the digital age. That may well come to fruition in months to come, with the regulatory landscape constantly evolving, but for now, healthcare providers can take several approaches to ensure the protection of patient data: 

1. Adopting comprehensive data security measures: Providers must implement robust cybersecurity protocols to protect patient data from breaches and unauthorized access. This includes encryption, secure access controls, and regular security audits. 
2. Staying informed about regulatory changes: As new privacy laws and regulations emerge, healthcare providers need to stay updated and ensure compliance. This might involve adapting to new state laws or international regulations. 
3. Promoting transparency: Providers should educate patients about how their data is used and the measures in place to protect it. Transparency can build trust and help patients make informed decisions about their health data. 
4. Consider a consent management solution: Healthcare providers can utilize Consent and Preference Management to ensure explicit consents are obtained from patients before processing data. These solutions not only ensure compliance with regulatory standards, but grant patients greater control over how they wish their data to be used. 

Final thoughts 

The decision by the Department of Health & Human Services (HHS) to drop the legal battle over cookie usage marks a significant moment in the ongoing debate about patient privacy. While this may seem like a setback for privacy advocates, it underscores the urgent need for healthcare providers to reassess their compliance strategies. 

As discovered in our Prescribing Privacy research report, patients are growing increasingly concerned about how their data is handled by healthcare providers, with the need for informed consent being a priority. Therefore, organizations should look to ensure a comprehensive consent management solution is in place to effectively obtain user consents, and honor patient preferences on how their data is handled.