The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Judge Questions Whether Website Metadata is Regulated by HIPAA

Posted By on Aug 29, 2023

The HHS’ Office for Civil Rights released guidance in 2022 on HIPAA and website tracking technologies and confirmed disclosures of protected health information to third parties via website tracking technologies is a HIPAA violation unless authorization has been received from patients or if there is a valid business associate agreement in place. OCR and the Federal Trade Commission also wrote to 130 healthcare and telehealth providers to warn them about tracking technologies on their websites and OCR has made HIPAA violations related to website tracking tools an enforcement priority.

However, OCR’s interpretation that metadata is regulated under the Health Insurance Portability and Accountability Act has been questioned by an Illinois court in a ruling on a class action lawsuit that was filed against a healthcare provider over the disclosure of patient data via website tracking technologies.

The lawsuit – Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health – was filed in District Court for the Northern District of Illinois, Eastern Division and alleged that third-party tracking code had been placed on the defendant’s website and MyChart patient portal which resulted in the plaintiffs’ individually identifiable health information (IIHI) being disclosed to Facebook, Google, and Bidtellect for advertising purposes.

The lawsuit was initially dismissed for the failure to state a claim aside from the request for injunctive relief, then an amended complaint was filed that asserted the same 5 claims plus a further 6. The lawsuit alleged violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986, breach of an implied duty of confidentiality, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, violations of the Illinois Uniform Deceptive Trade Practices Act, intrusion upon seclusion, publication of private facts, trespass to chattels, breach of contract, breach of the duty of good faith and fair dealing, unjust enrichment, and violations of the Illinois Eavesdropping Act.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Rush moved to have the amended lawsuit dismissed and the court granted the motion for all counts aside from the breach of contract and Illinois Eavesdropping Act claims. The lawsuit claimed that per OCR guidance, the disclosure of IIHI to Meta, Google, and Bidtellect was a HIPAA violation; however, in the ruling dismissing the wiretapping claim, the court rejected using the HHS bulletin as a basis for assessing liability under federal wiretapping laws and also questioned whether website metadata actually qualified as IIHI.

“The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual,” wrote District Judge, Matthew F. Kennelly. “The type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category.”

While it is possible that information disclosed in private communications between the plaintiff and the defendant via the website may have been transmitted to third parties and the transmitted information may qualify as IIHI, the plaintiff contended that it was unreasonable to expect her to disclose that type of intimate information she transmitted to the defendant in her complaint. “Kurowski could have requested to file the complaint under seal,” wrote Kennelly. “Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist