GREENSBORO, NC—Jeffrey Segal, MD, JD, a medico-legal expert and the founder of Medical Justice, is calling attention to a landmark federal court ruling that struck down the Department of Health and Human Services’ (HHS) attempt to broaden HIPAA obligations for routine website analytics in a recent blog, “Court Rebukes HHS, Ruling it Over-Reached with HIPAA and New Edicts on Tracking Technology.”

In the blog, Dr. Segal details how the U.S. District Court for the Northern District of Texas rejected HHS’s Online Tracking Bulletin—both its original 2022 version and the 2023 revision—concluding that the agency exceeded its statutory authority. At stake was whether a combination of an IP address and a visit to a public-facing healthcare webpage—what HHS dubbed the “Proscribed Combination”—should automatically be treated as “individually identifiable health information” (IIHI) and therefore trigger the full weight of the HIPAA Privacy Rule. Judge Mark Pittman’s decision plainly states that an inferred link between a visitor and a medical condition “falls far short of what the IIHI definition requires,” undercutting HHS’s attempt to regulate common web tracking tools that every modern business relies on for analytics and site optimization.

“This ruling reinforces a critical boundary: regulators can’t simply rewrite definitions to suit a preferred policy outcome,” Dr. Segal said. “HIPAA already draws clear lines around what constitutes protected health information. Stretching those lines to cover anonymous web-traffic data was never going to survive judicial scrutiny, and the court’s opinion makes that crystal clear.”

The lawsuit—brought by the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System—was hardly niche. Seventeen additional state hospital associations and 30 individual hospitals and health systems filed amicus briefs, highlighting the nationwide concern that HHS’s guidance would force providers either to disable essential analytics tools or risk crippling civil penalties.

In its opinion, the court focused on statutory text rather than technical minutiae. IIHI, by law, must both relate to an individual’s health, care, or payment for care and reasonably identify that individual. A public website visit, even paired with an IP address, fails that test because motive is unknowable without soliciting it.

As Dr. Segal notes, “Identity plus Query does not equal Diagnosis.” Absent an affirmative disclosure—such as a patient logging into a secure portal—mere metadata cannot be forced into the IIHI box. The court also criticized HHS for creating compliance impossibilities: covered entities would be expected to divine whether each visitor was researching a personal condition, a family member’s illness, or simply reading out of curiosity. Judge Pittman wrote that “HIPAA doesn’t require clairvoyance,” adding that executive oversteps, even in seemingly small bulletins, erode constitutional checks on administrative power.

For physicians and hospital systems, the ruling offers immediate relief. Standard tools like Google Analytics, Meta pixels, or other third-party platforms can continue collecting de-identified traffic data on public pages—content about procedures, surgeon bios, wellness tips, and more—without automatically inviting HIPAA penalties.

Dr. Segal cautions, however, that this is not a license to ignore cybersecurity or privacy best practices. “We still advise members to use encryption, data-minimization, and robust business-associate agreements where PHI is truly in play,” he said. “What the court rejected was HHS’s attempt to label everything PHI by default. Common-sense safeguards remain essential, but they should be grounded in the statute, not in regulatory wish-casting.”

Had the bulletin stood, many hospitals would have faced multimillion-dollar costs to build bespoke analytics systems or forego the insights necessary to improve content, search visibility, and appointment conversions. Dr. Segal explains: “Restricting basic analytics would have pushed healthcare further behind other industries in digital engagement—ironic for regulations meant to protect patients.”

Still, Dr. Segal urges caution: “This isn’t the end of the story. Plaintiffs prevailed because the guidance clashed with plain statutory language. Regulators may try again through Congress or more tailored rulemaking. We’ll be ready to review, comment, and, if needed, challenge overreach.” He encourages physicians to remain vigilant about privacy obligations, especially on patient portals, telehealth platforms, and appointment-booking forms where real PHI is exchanged.

For nearly two decades, Medical Justice has helped doctors navigate the intersection of medicine, law, and technology—from HIPAA compliance and credentialing disputes to internet-based reputation attacks. Its protection plans and eMerit online reputation management program help prevent medico-legal headaches before they escalate. “We protect you and your reputation, proactively,” Dr. Segal said. “This ruling validates the importance of challenging regulatory excesses that hinder, rather than help, quality care.”

Healthcare professionals seeking guidance on HIPAA compliance or broader medico-legal risk management can schedule a complimentary 15-minute consultation on the Medical Justice website.

###

For more information about Medical Justice, contact the company here:

Medical Justice
Robin Mahaffey
1-877-633-5878
rmahaffey@medicaljustice.com