HHS Litigation Round-Up: Legal Challenges to HHS Guidance on Web Tracking and Reproductive Health Rule

Two recent legal cases involving the U.S. Department of Health and Human Services (HHS) deal with challenges—from the healthcare industry on one hand and from state officials on the other—seeking to invalidate privacy protections of individuals' health information. These protections were issued by HHS arguably to keep pace with emerging threats posed, respectively, by technological advances in healthcare delivery and by the Supreme Court's June 2022 reversal of Roe v. Wade. In both cases, the plaintiff is challenging HHS' expertise in the arena of health privacy protection, particularly its interpretation of the Health Insurance Portability and Accountability Act (HIPAA) and also its approach to what it believes constitutes a violation of HIPAA. This trend is likely to continue, especially with the Supreme Court's reversal of Chevron deference earlier this year in the Loper Bright case, thereby (as we said in our prior article) opening the window to challenge federal healthcare rules.

First, in late August, HHS reversed course and requested permission from the U.S. Court of Appeals for the Fifth Circuit to voluntarily dismiss an appeal it had brought only 10 days earlier. The appeal stemmed from the American Hospital Association's (AHA) challenge to HHS' 2022 (and subsequently amended) web-tracking guidance, in which the AHA challenged the guidance on the basis that HHS had exceeded its authority and violated the Administrative Procedure Act (APA). The U.S. District Court for the Northern District of Texas sided with AHA in part, and in June 2024 invalidated the HHS guidance related to unauthenticated public webpages (UPW), finding it constituted final agency action that created new legal obligations, rights and penalties.

The court found that the guidance broadened the definition of "individually identifiable health information" (IIHI) beyond HIPAA's statutory text because its application of HIPAA to UPW turned on the intent of the visitor to that page (i.e., an individual's visit to a UPW would not necessarily be indicative of their health status, as they could be merely interested in a topic or visiting the page on behalf of another individual). This also led to an overbroad treatment of some information as IIHI when it in fact would not be IIHI based on the website visitor's intent. As the court said, "HIPAA doesn't mandate clairvoyance." While the HHS website acknowledges this June court ruling and indicates that HHS is evaluating next steps, it is clear at this point that an appeal of the ruling to the Fifth Circuit is not one of them. Note that the court in this case completely invalidated the guidance as opposed to issuing a preliminary injunction barring the guidance from going into effect as is so common, meaning there is no underlying case to decide while the guidance waits in limbo. Rather, HHS first decided, and then changed course on, appealing that invalidation to the Fifth Circuit. This means that for now, providers can treat the portion of the HHS web-tracking guidance that relates to UPW as if it were never issued.

Second, Texas Attorney General Ken Paxton sued HHS in the U.S. District Court for the Northern District of Texas on September 4, not only seeking to block HHS' new reproductive health rule from taking effect (see our prior article), but also requesting that the court overturn a portion of the HIPAA Privacy Rule that has been in effect since 2000. On the former, Texas argues that the reproductive health rule would harm its ability to investigate and enforce its laws related to restricted medical care such as abortion, whereas the latter argument is premised on the same argument coupled with two Supreme Court rulings earlier this year that affected the accrual of claims under the APA and overruled Chevron's deference to agency interpretation of a statute.

Regarding the reproductive health rule, Texas argues that the rule impermissibly restricts states' ability to investigate and enforce their own abortion laws, notwithstanding that Congress preserved state investigative authority in the HIPAA statute. Specifically, because the reproductive health rule prohibits the use or disclosure of protected health information (PHI) when it is sought to investigate or impose criminal or other liability on individuals, healthcare providers or others who seek, provide or facilitate reproductive healthcare that is legal under the circumstances in which it is provided, Texas argues HHS is attempting to undermine its law- enforcement capabilities.

Similarly, Texas objects to the 2000 HIPAA Privacy Rule with respect to disclosures to law enforcement, which permit disclosure of PHI in response to a state investigative subpoena only when the disclosure meets a three-part test. Texas argues that such a test does not appear in the HIPAA statute, which furthermore does not permit HHS to introduce any sort of conditions on sharing this information with state governments. Following the Loper Bright line of argument, Texas is arguing that both the Privacy Rule and reproductive health rules are contrary to the HIPAA statute on the topic of state investigatory and law enforcement authority and that the court should not defer to HHS' interpretation of the HIPAA statute in crafting its own regulations, but should instead use the court's own expertise to determine whether HHS' regulations pass muster. Providers and other covered entities should pay attention to this case, as the U.S. District Court for the Northern District of Texas has a history of issuing nationwide injunctions, which could raise questions about HIPAA's requirements for disclosure of PHI to law enforcement and how healthcare providers would respond to such requests. We will be following developments too, of course, and will be sure to cover them in a future C.H.A.T. newsletter.