In 2022, the HHS’ Office for Civil Rights (OCR) issued guidance regarding HIPAA and website tracking technologies. This guidance clarified that healthcare providers commit a HIPAA violation if they disclose protected health information to third parties through website tracking technologies without obtaining patient authorization or having a valid business associate agreement in place. The OCR, in conjunction with the Federal Trade Commission (FTC), also communicated with 130 healthcare and telehealth providers to caution them about the use of tracking technologies on their websites. Furthermore, the OCR has prioritized enforcing HIPAA violations related to website tracking tools.
However, an Illinois court has raised doubts about the OCR’s interpretation that metadata falls under the regulatory purview of the Health Insurance Portability and Accountability Act (HIPAA). This questioning arose in a class action lawsuit, Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health, filed in the District Court for the Northern District of Illinois, Eastern Division. The lawsuit alleged that the defendant healthcare provider had placed third-party tracking code on its website and MyChart patient portal, resulting in the unauthorized disclosure of individually identifiable health information (IIHI) to entities such as Facebook, Google, and Bidtellect for advertising purposes.
Legal Dismissal and Controversy Surrounding IIHI Interpretation in Privacy Lawsuit
The initial dismissal of the lawsuit occurred due to the absence of any claims except for the request for injunctive relief. Subsequently, they filed an amended complaint that not only reasserted the original five claims but also introduced six additional ones. This legal action contended that the defendants had violated several laws, including the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986, breached an implied duty of confidentiality, violated the Illinois Consumer Fraud and Deceptive Business Practices Act, infringed upon the Illinois Uniform Deceptive Trade Practices Act, intruded upon seclusion, disclosed private information without consent, trespassed upon property, breached a contract, violated the duty of good faith and fair dealing, engaged in unjust enrichment, and broke the Illinois Eavesdropping Act.
Rush took action to seek the dismissal of the modified lawsuit, and the court approved this request, dismissing all counts except for the breach of contract and Illinois Eavesdropping Act allegations. The lawsuit asserted that sharing IIHI (Individually Identifiable Health Information) with Meta, Google, and Bidtellect violated HIPAA regulations based on OCR guidance. However, when it came to dismissing the wiretapping claim, the court rejected the idea of using the HHS bulletin as a foundation for determining liability under federal wiretapping laws. Additionally, the court expressed doubts about whether website metadata truly met the criteria to qualify as IIHI.
“The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, the type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category.”District Judge, Matthew F. Kennelly
While there’s a chance that data shared during private exchanges between the plaintiff and the defendant on the website might have been shared with third parties and could potentially be classified as Individually Identifiable Health Information (IIHI), the plaintiff argued that it was unreasonable to expect her to reveal such intimate details she communicated with the defendant in her initial complaint.
“Kurowski could have requested to file the complaint under seal, Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.”wrote Kennelly