A Texas federal court ruled the U.S. Department of Health and Human Services overstepped its authority in guidance warning HIPAA regulated entities that it’s unlawful to use online tracking tools to capture IP addresses in visits to websites containing information about maladies.
The U.S. District Court for the Northern District of Texas Fort Worth Division on Thursday ruled that parts of HHS’ Office for Civil Rights guidance regarding the use of online trackers “was promulgated in clear excess of HHS’s authority under HIPAA.”
The court ruled that the Office for Civil Rights was wrong when it said that tracking technology capturing the IP address of a user’s device and matching it with a visit to a web page addressing specific health conditions or listing health care providers “is a sufficient combination of information to constitute individually identifiable health information.”
“The proscribed combination fails to improve current privacy protections while jeopardizing the dissemination of important healthcare information to the masses,” the court said.
The American Hospital Association, along with three other organizations, challenged the guidance in November (see: AHA Sues Feds Over Privacy Warning About Web Tracker Use).
The Texas court did not rule that all new guidance about web trackers is invalid, focusing on the combination of IP addresses and related identifiers combined with the intent of the website visitor.
Source: Court: HHS Overstepped HIPAA Authority in Web Tracking Guide / Bank Info Security