Court Ruling on HHS Bulletin: Impact on Healthcare Analytics Practices

The recent vacating of the HHS Bulletin has significant implications for healthcare providers navigating the complexities of digital analytics. This blog explores the court's ruling and its impact on the use of Google Analytics, offering guidance on how providers can return to GA4 while maintaining stringent privacy standards.

On June 20, 2024, a US District Court Judge in Texas declared the HHS Bulletin of March 18, 2024, to be unlawful, stating that it exceeded HHS’s authority under HIPAA. The bulletin had restricted healthcare providers from using standard third-party web technologies that capture IP addresses on portions of their unauthenticated webpages. It also suggested that covered entities must have Business Associate Agreements (BAAs) in place with analytics providers.

A key point in the judge’s 31-page ruling addresses Protected Health Information (PHI):


“Giving HHS the benefit of the doubt, suppose a UPW (unauthenticated public website) visitor’s query related to someone’s healthcare. Suppose further that their query related to their healthcare. Without knowing information that’s never received—i.e., the visitor’s subjective motive—the resulting metadata could never identify that individual’s PHI.

Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).

If a covered entity’s UPW greets visitors with a dropdown box requesting their subjective motive for visiting the page, that would be one thing. The Department can and should remind covered entities that the Privacy Rule would apply in those circumstances. But absent such an admittedly bizarre scenario, the Proscribed Combination cannot become IIHI as unambiguously defined.”


This bulletin caused many healthcare providers to assume that using Google Analytics was illegal. While Google Cloud will sign a BAA for their services, Google Analytics does not. As a result, some healthcare providers completely removed analytics from their websites, switched to providers that would sign BAAs, or adopted self-hosted analytics solutions.


Returning to GA4

With the ruling vacated, healthcare providers’ legal counsel may now green-light the return to Google Analytics. However, even with this change, healthcare providers should still take a privacy-aware approach and modify parameters from their default settings. This includes a focused approach for the regions within Google Signals and granular device detection.


A recommendation would be to focus on your service area: Do you need to capture anonymized data globally or for the entire US if you are not marketing to or do not have the capacity to service prospective patients in these areas? In the past, many GA4 implementations, especially those auto-enabled from Universal Analytics properties, simply used the default setup parameters. These parameters can be easily modified in GA4 Admin, which was not possible in the older Universal Analytics properties.


It is important to remember that Google Analytics' terms of service prohibit the capture of Personally Identifiable Information (PII). The most likely culprit can be email addresses. GA4 data capture parameters have a setting under Web stream events that can be enabled to redact this data capture.


For more detailed information, you can access the 31-page ruling here.