Policy Prognosis: AHA Battles Ocr In A Legal Health Check

Policy Prognosis: AHA Battles Ocr In A Legal Health Check

Announcement: Hospital Associations and Hospitals File Lawsuit Challenging Federal Rule That Ties Providers’ Hands In Their Efforts to Reach the Communities They Serve

The Office for Civil Rights (OCR), a critical oversight body for safeguarding health information privacy, has recently faced a challenge that cannot be ignored. Notable organizations like the American Hospital Association (AHA) are taking a stance to ensure it receives the attention it deserves. This update presents significant implications for healthcare data privacy that every healthcare professional should be aware of. The following update summarizes the latest action and our take on how to move forward.

On November 2, 2023, the American Hospital Association (AHA), along with the Texas Hospital Association and two health systems, filed a lawsuit against the federal government. The lawsuit challenges a December 2022 bulletin from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that restricts hospitals from using common third-party web technologies that collect IP addresses on public-facing web pages that discuss health conditions or providers. The AHA presses that there is a balance between protecting patients’ health information while allowing the flow of information necessary to provide high-quality care to communities.

The suit also alleges that the government’s use of tracking technologies on its own sites creates a double standard, as the government is engaging in the same behavior it is prohibiting. Specifically, HHS’s Medicare.gov website and various VA sites use a range of third-party analytics and advertising tools, although these sites are considered covered entities under HIPAA. In July, the OCR notified 66 hospitals across the country with letters to remediate tracking technology use on their sites; while failing to do so on its own sites.

Finally, the lawsuit alleges that OCR unlawfully issued the Bulletin without providing any rationale for its new legal arguments, without acknowledging the government’s own use of the implicated third-party technologies, and without following the required notice-and-comment rulemaking process. Prior to issuing the rule, hospitals and health systems were not consulted about their use of third-party technologies that rely on the collection of IP addresses or how the impact of the new rule would affect patients or communities.

Unlock’s Take:

In May, the AHA sent the OCR a letter on behalf of member hospitals, expressing serious concerns over the December 22 bulletin’s treatment of IP address as a HIPAA identifier, specifically noting that by doing so, the public would have substantial reduction in access to health information. The lack of response by the OCR and continued push encouraging hospitals to review and remediate tracking technologies from their sites without more specific guidance has left many in the industry looking for answers and scrambling for solutions.

While we are not likely to see resolution on this for some time, this move by the AHA marks an important milestone in its efforts to push back on the OCR’s guidance.

Don’t hold your breath waiting for the OCR to backtrack on those stringent guidelines, instead roll up your sleeves and conduct a thorough sweep of your website’s tracking technologies. Think of it as a digital health check-up: start with remediating the big-ticket items like analytics and digital media buying conversions—these need your immediate attention. Once you’ve got those under control, shift your focus to other technologies such as Google Fonts and video embed players that capture IP address and URLs but aren’t natively tracking technologies.


The thoughts and opinions expressed in this blog post are for informational purposes only and should not be taken as legal advice. The author of this blog post is not a lawyer and does not provide legal services. If you have any legal questions, you should consult with a licensed attorney in your jurisdiction.