The American Hospital Association is asking Congress to urge HHS to "immediately" rescind a rule restricting the use of third-party tracking technologies by hospitals and health systems.
HHS' Office of Civil Rights released the rule in December after several hospitals and health systems were found to be sharing patient information with Big Tech companies via the consumer tracking tools. OCR and the Federal Trade Commission later sent letters to 66 hospitals and health systems warning them about use of the so-called pixel technology.
"This rule is flawed as a matter of law and harmful as a matter of policy," AHA Executive Vice President Stacey Hughes wrote in the Sept. 28 letter to U.S. Sen. Bill Cassidy, R.-La., ranking member of the Senate Committee on Health, Education, Labor and Pensions, who had requested information on health data privacy regulations. "As a result of the OCR rule, hospitals and health systems can no longer rely on a broad array of third-party technologies — from Google Analytics to YouTube or other video applications — that help them provide their communities with reliable healthcare information."
The new rule even applies to people who aren't actually seeking healthcare, the AHA said. "In OCR's misguided view, the same HIPAA protections apply if visitors search for a medical service for a friend or relative; if they are seeking general health information (e.g., information about flu season or symptoms of an unknown illness); or if they are conducting academic research for a study of data on hospitals' websites," the organization wrote.
The rule is causing hospitals and health systems to restrict the use of "valuable technologies" over their fear of HIPAA enforcement actions and class-action lawsuits, the AHA said. Those tools include analytics trackers to measure the "level and concentrations of community concern on medical questions or the areas of a hospital website on which people have trouble navigating"; educational videos; and map and location technologies that help patients navigate to facilities. Meanwhile, the AHA said third-party tech companies refuse to sign business associate agreements to protect private patient information.
Separately in the letter, the AHA wrote that if Congress were ever to update HIPAA, it should enact a provision that the law fully preempts any state health data privacy rules.