Federal Court Blocks HHS Rule Prohibiting Use of Web Tracking Technologies Such as Google Pixel: As you probably know, HHS has issued guidance to HIPAA Covered Entities that they cannot use web-tracking technology if the tech provides any possible PHI to the tech provider. Most websites have tracking technology; it tells the site owner what pages attract viewers and how they act when they get there (i.e., which buttons they click and how they respond to certain elements on the site). These allow the site owner to know what's working, what customers are looking for, where they should provide more or less services, etc.
The problem is that the tech provider usually also wants the data generated by the tracking tech. The tech provider can use the greater amount of consumer action data to make the technology better, improve their algorithms, etc. The problem is that the tech providers generally don't sign BAAs; they are not really getting PHI (the information may be entirely random, such as when a student is looking at a site for information on types of clinical treatment for a particular type of cancer). However, in some instances, such when people with that type of cancer are looking for treatment for themselves, the fact that the person looked up treatment options could be evidence that the person has that condition, which would be PHI.
In most instances, the websites have Terms of Use and Privacy Policies that note that tracking technologies are used, so website visitors are forewarned of the potential disclosures. However, those warnings certainly don't meet the requirements of a HIPAA authorization.
There have been class action lawsuits (one even settled with a large payout!) claiming that the use of the technology by a HIPAA-covered Entity is a HIPAA violation because of those instances where it is a person with the condition; the Covered Entity has disclosed that website visitor's PHI (the visitor's IP address linked to the cancer diagnosis) to the technology provider for a non-HIPAA-permitted purpose without a BAA.
The American Hospital Association sued HHS over the guidance, and a Federal District Court in the Northern District of Texas has ruled that HHS overstepped its legal authorityruled that HHS overstepped its legal authority in attempting to enforce HIPAA in that fashion.
For now, providers can go back to using trackers, but keep an eye out, HHS might appeal.