Opinion
4:23-cv-01110-P
06-20-2024
OPINION & ORDER
MARK T. PITTMAN UNITED STATES DISTRICT JUDGE
Before the Court are cross-motions for summary judgment. ECF Nos. 24, 50. Having considered the motions, briefs, and applicable law, the Court GRANTS in part and DENIES in part Plaintiffs' motion (ECF No. 24) and DENIES Defendants' motion (ECF No. 50).
BACKGROUND
Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) in 1996 because health information needed more protections and the world needed more acronyms. HIPAA seeks to “assure that individuals' health information is properly protected” while “allowing the flow of health information needed to provide and promote high quality healthcare.” The Department of Health and Human Services (“HHS”) enforces this mandate. Violations are reported to HHS's Office for Civil Rights (“OCR”), who investigates reports and recommends corrective action. This case involves HIPAA's confidentiality protections (the “Privacy Rule”) for “protected health information” (“PHI”). More specifically, the case concerns the Rule's applicability to one subset of PHI: “individually identifiable health information” (“IIHI”). HIPAA defines IIHI as information that (1) “relates to” an individual's healthcare and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.”
Like many decades-old definitions, the Act's definition of IIHI has evolved awkwardly with the times. A lot has changed between 1996 and 2024. In 1996, an American with health concerns would likely consult a library or other repository for things called “books,” which would contain information potentially relevant to their condition. Thereafter, the individual would consult something called the “Yellowpages,” which was a book that listed phone numbers for local clinicians. They would then call nearby clinics and speak with a human being to inquire about availability. After a trial-and-error process, the individual would squeeze in a visit for the (hopefully) near future. Twenty percent of the population had internet, so those fortunate few could scour the nascent digital landscape for this information and cut down on required steps. For the rest, this process could take several days.
Today, an American with health concerns will reach in their pocket, grab a phone, and with the click of a button connect themselves to more information than an American in 1996 could access in a lifetime. Based on their query, algorithms will autopopulate the most relevant resources first, which an “AI overview” will conveniently distill. After reviewing WebMD, the individual will ill-advisedly self-diagnose and search for nearby providers. Based on their location, a list of nearby clinics will appear, categorized by projected wait time. For the ninety-six percent of Americans with internet, this process will take roughly ten minutes.
Differences between 1996 and today are further seen in the patients' clinic experience. For one, folks in 1996 would drive to a physical location to speak with a healthcare provider; today we just schedule a telemedicine appointment. And in 1996, the patient's intake paperwork and clinician notes would be transcribed on paper and stored in a Hollinger box, or perhaps transferred to a CD or floppy disk. Most patients today will fill out a digital intake form, which will be incorporated with clinician notes in “electronic patient records” (“EPRs”) maintained in the Cloud or in auxiliary servers/data centers.
By aggregating and storing EPRs digitally, healthcare providers can securely maintain troves of PHI, most of which can be “de-identified” to protect patients' identities. They can then share such data with technology vendors and other third parties, gaining valuable data- analytics insights and facilitating better cross-platform collaboration. HIPAA provides robust protections for PHI in this context, including the Privacy Rule, along with the Security Rule (requiring “reasonable and appropriate” administrative safeguards), required SSL encryption, obligatory Business Associate Agreements (“BAAs”) for outside providers, and a host of other obligations. Subject to certain restrictions, providers can provide information that is not IIHI on “unauthenticated public webpages” (“UPWs”)-websites that don't require login credentials or user verification. In doing so, healthcare providers increase the public's access to important health-related information.
While the benefits abound, this trend is not without drawbacks. In recent years, the OCR has received a surge of complaints from citizens concerned that UPWs might disclose their IIHI. For instance, say a provider utilizes third-party technology vendors for its UPW. Many vendors use a page visitor's IP address to create a more bespoke user experience (e.g., using user location/maps to populate a menu of nearby providers or suggest clinics with lower wait times). Every click of the mouse or swipe of the phone thus increases the relevance of information the UPW provides. In theory, a third party could connect the dots between a person's IP address and the searches performed: if an IP address corresponds to Person A, and Person A looks up symptoms of Condition B, one might conclude Person A has Condition B.
IIHI's broad definition seemed sufficiently malleable to progress with the times, giving providers a clear rubric for information that can and can't be shared. Indeed, inferences aside, the above scenario would never reveal that Person A affirmatively had Condition B. But HHS thought otherwise. Accordingly, in 2022, the Department gave the definition a clandestine facelift. In December of that year, HHS issued a guidance document (the “Original Bulletin”) to address potential privacy concerns. Like most guidance documents, the Original Bulletin reminded covered entities of their obligation to protect IIHI. But it did more than that, too. In particular, the Original Bulletin appeared to shoehorn additional information into the IIHI definition. The Original Bulletin provided several hypotheticals that trigger HIPAA obligations, including circumstances where an online technology connects (1) an individual's IP address with (2) a visit to a UPW addressing specific health conditions or healthcare providers. HHS says this new rule (the “Proscribed Combination”) was an example to highlight privacy concerns; covered entities saw it as an entirely new obligation.
The Plaintiffs here (collectively, “the Hospitals”) are two hospital associations and a regional healthcare system. Facing new obligations under the Proscribed Combination, the Hospitals sued to stop enforcement of the rule.As the case boils down to pure questions of law, both Parties moved for summary judgment. Days before its brief was due, HHS issued a new guidance document (the “Revised Bulletin”). The Revised Bulletin softened language from the Original and noted that it “do[es] not have the force and effect of law” and isn't “meant to bind the public in any way.” The Revised Bulletin further suggests the IIHI test is subjective. That is, the Revised Bulletin insinuates that information can become IIHI if the individual's reason for visiting a UPW relates to their personal healthcare (irrespective of the fact that such information is unknowable unless a UPW seeks it).
The Complaint names three Defendants: the United States of America, Melanie Fontes Rainer (OCR Director), and Xavier Becerra (HHS Secretary). See ECF No. 1 at 1. The Court collectively calls them “HHS” or “the Department” because that's the most relevant executive entity.
Changes aside, the Revised Bulletin did not change the salient legal questions. The Hospitals say summary judgment is warranted here because (1) HHS exceeded its authority in promulgating the Bulletins and (2) HHS violated the Administrative Procedure Act (“APA”) in doing so. HHS sees things differently. As a preliminary matter, HHS says the Court lacks jurisdiction because the Bulletins are not a “final agency action” subject to judicial review. Even if the Court has jurisdiction, HHS says the Hospitals' claim fails on the merits because (1) the Revised Bulletin is consistent with HIPAA's definition of IIHI, (2) the Revised Bulletin is not “arbitrary and capricious” under the APA, and (3) HHS was authorized to issue the Revised Bulletin and did so with procedural propriety. Having reviewed the briefs and submissions from multiple amici, the Court agrees with the Hospitals that the Bulletins improperly create substantive legal obligations for covered entities.
LEGAL STANDARD
Summary judgment is proper where “there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” FED. R. CIV. P. 56(a). A dispute is “genuine” if, based on the evidence, “a reasonable jury could return a verdict for the nonmoving party.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). A fact is “material” if it would affect a case's outcome. Id. Generally, the “substantive law will identify which facts are material” and “[f]actual disputes that are irrelevant or unnecessary will not be counted.” Id. In assessing if summary judgment is warranted, the Court “view[s] all evidence in the light most favorable to the nonmoving party and draw[s] all reasonable inferences in that party's favor.” Cunningham v. Circle 8 Crane Servs., LLC, 64 F.4th 597, 600 (5th Cir. 2023).
While the Court may consider any evidence of record, it need only consider materials cited by the parties. FED. R. CIV. P. 56(c)(1)-(3); see generally Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986) (noting summary judgment is proper “if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to judgment as a matter of law”). But the Court need not mine the record for evidence supporting the nonmovant; the burden falls on the movant to simply show a lack of evidence supporting the nonmovant's case. See Malacara v. Garber, 353 F.3d 393, 404-05 (5th Cir. 2003). In this regard, “[s]ummary judgment is appropriate when ‘the nonmoving party has failed to make a sufficient showing on an essential element of her case with respect to which she has the burden of proof.'” Edwards v. Oliver, 31 F.4th 925, 929 (5th Cir. 2022) (quoting Celotex, 477 U.S. at 323).
ANALYSIS
As noted, the Parties contest HHS's authority to promulgate the Bulletins and the procedural propriety with which it did. See ECF Nos. 51, 60. But HHS also contests the Court's jurisdiction. See ECF No. 51 at 25. The Court addresses the jurisdictional challenge first, as “courts must assess their jurisdiction before turning to the merits.” United States v. Rodriguez, 33 F.4th 807, 811 (5th Cir. 2022). As explained below, the Court has jurisdiction over the Hospitals' challenge.
A. The Court has jurisdiction over the Hospitals' claim.
HHS says the Court lacks jurisdiction because the Bulletins were not a “final agency action.” See ECF No. 51 at 25. If true, the APA's judicialreview provisions don't apply. See 5 U.S.C. § 704. If Section 704 doesn't apply, the Court lacks jurisdiction over the Hospitals' APA claim. See Lujan v. Nat'l Wildlife Fed'n, 497 U.S. 871, 882 (1990); Apter v. HHS, 80 F.4th 579, 593 (5th Cir. 2023). While the Court would still have jurisdiction over the Hospitals' non-APA claims, see Apter, 80 F.4th at 591, it would be unable to consider their APA arguments. This so-called “finality requirement” is the hallmark of federal-jurisdiction precedents under the APA. See U.S. Army Corps of Eng'rs v. Hawkes Co., Inc., 578 U.S. 590, 591 (2016).
Notably, HHS's arguments solely concern the APA. The Hospitals counter by arguing “even if the APA were unavailable, this Court at least has the power to grant injunctive and declaratory relief against HHS for exceeding its authority under HIPAA.” ECF No. 60 at 15. That opened a can of worms, with HHS submitting over a half-dozen briefing pages on the appropriate taxonomy for the Hospitals' non-APA claims. See ECF No. 51 at 31 (“Plaintiffs cannot avoid the finality requirement by recasting a garden-variety APA claim as a non-statutory equitable claim.”); id. at 34 (contending Plaintiffs try to “cast a plain-vanilla APA claim in the guise of an implied equitable ultra vires claim”). These arguments ultimately lack bearing for the Court's analysis, as the Court has jurisdiction under both the APA and Art. III.
The APA has a “basic presumption of judicial review” for “one ‘suffering legal wrong because of agency action.'” Abbott Laby's v. Gardner, 387 U.S. 136, 140 (1967) (quoting 5 U.S.C. § 702), abrogated on other grounds by Califano v. Sanders, 430 U.S. 99 (1977). The APA defines “agency” as “each authority of the Government of the United States,” 5 U.S.C. § 551(1), and “agency action” as “the whole or a part of any agency rule, order, license, sanction, relief, or the equivalent or denial thereof, or failure to act.” Id. § 551(13). But what is a final agency action? Federal courts take a “pragmatic approach” to this question, viewing the finality requirement as inherently “flexible.” Texas v. EEOC, 933 F.3d 433, 441 (5th Cir. 2019). At base, a final agency action must create “rights, obligations, or legal consequences,” and those rights/obligations/consequences “must be new.” State v. Rettig, 987 F.3d 518, 529 (5th Cir. 2021) (citations omitted). Courts use a two-part test to make this call, asking if the challenged action (1) represents “the consummation of the agency's decision-making process” and (2) determines “rights or obligations” for those subject to it. See Bennett v. Spear, 520 U.S. 154, 178 (1997) (cleaned up).
Here, HHS says the Revised Bulletin “satisfies neither requirement.” ECF No. 51 at 25. For the first, HHS contends the Revised Bulletin “does not establish the agency's final position with respect to any concrete [HIPAA] requirement.” Id. For the second, HHS argues the Revised Bulletin “lacks any independent force of law, as it explicitly states that it is non-binding and any legal consequences would only result after an administrative proceeding subject to judicial review.” Id. The Hospitals disagree. On the first point, the Hospitals argue the Revised Bulletin articulates HHS's position on an ostensibly new class of IIHI. See ECF No. 60 at 18. On the second, the Hospitals argue the Revised Bulletin creates new substantive legal requirements on its face. Id. at 19-22. The Hospitals persuade.
1. The Proscribed Combination is the consummation of HHS decision-making.
Relying on its eve-of-brief Revised Bulletin, HHS doesn't brief finality for the Original Bulletin. See ECF No. 51 at 25. The Hospitals say that's because HHS “cannot meaningfully dispute that the Original Bulletin was final agency action when this suit was filed.” ECF No. 60 at 16. They're probably right, but be that as it may, the Revised Bulletin is the legally operative document. In any event, both Bulletins consummated HHS decision-making with respect to the Proscribed Combination. An action consummates agency decision-making where it is not “merely tentative or interlocutory.” Bennett, 520 U.S. at 177-78. In such circumstances, the action determines the “rights and obligations” of covered entities and creates conditions from which “legal consequences could flow.” La. State v. U.S. Army Corps of Eng'rs, 834 F.3d 574, 579 (5th Cir. 2016). That's because the agency has asserted its “final position on the factual circumstances underpinning the Agency's orders.” Ak. Dept. of Envt'l Conservation v. EPA, 540 U.S. 461, 483 (2004) (cleaned up).
At times the briefs conflate the Revised Bulletin as a whole with the Proscribed Combination as a subpart therein. This distinction is meaningful. The Revised Bulletin contains an array of guidance for covered entities, much of which is both legally and pragmatically sound. The Court's analysis concerns only the Proscribed Combination and the Revised Bulletin's attempt to apply HIPAA obligations to this ostensibly new IIHI context.
Here, HHS says the Revised Bulletin does not articulate the Department's position “with respect to any concrete circumstances.” ECF No. 51 at 25. The Court is unsure how HHS reached that conclusion. As the Hospitals rightly note, the Revised Bulletin clearly articulates the Department's position regarding PHI in certain contexts, including the Proscribed Combination:
The Revised Bulletin's tweak to the Original Bulletin is still a definitive position and effectively the same one. As discussed, the Revised Bulletin retains its rule against the Proscribed Combination, adding only a subjective-intent gloss that is immaterial for purposes of APA finality. More specifically, the Revised Bulletin states that “the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is . . . a sufficient combination of information to constitute IIHI if the visit to the webpage is . . . related to' the individual's own health. AR 4 (emphasis added; double negative omitted).ECF No. 60 at 18 (quoting ECF No. 49, Administrative Record (“AR”), at 4). HHS attempts to characterize the document as a “policy statement” that simply informs covered entities how HHS will “exercise a discretionary power.” ECF No. 51 at 51. But whether the Department chooses to enforce its position, the wording of the Revised Bulletin “adopts a definitive interpretation of the IIHI definition that governs the scope of covered entities' duties.” ECF No. 60 at 54; see generally AR at 4-6. And the words of the Revised Bulletin control, not the Department's post hoc rationalizations in its defense.
The Department further argues the Revised Bulletin does not consummate HHS decision-making because it is subject to judicial review. See ECF No. 51 at 25. True, the availability of judicial review suggests a challenged action was not truly “final” for APA purposes. See Ak. Dep't of Envt'l Conservation, 540 U.S. at 483. But HIPAA does not provide for judicial review of one-off guidance documents like the Revised Bulletin. Rather, what the Department actually notes is that “any legal consequences” from violations would “result after an administrative proceeding subject to judicial review.” ECF No. 51 at 25.
Case law has long rejected the argument that an action is judicially reviewable merely because subsequent enforcement proceedings would be. See, e.g., Sackett v. EPA, 566 U.S. 120, 127 (2012) (rejecting identical argument where “future enforcement proceeding” was subject to judicial review but the contested provisions “were not subject to further Agency review” themselves). Most enforcement actions are judicially reviewable. See id. Thus, if accepted, the Department's argument would foreclose APA review for the most egregious executive oversteps until after penalties were imposed. The Supreme Court's APA precedents have rejected that argument time and time again. See, e.g., Hawkes Co., 578 U.S. at 600 (internal quotation marks and citation omitted) (“As we have long held, parties need not await enforcement proceedings before challenging final agency action where such proceedings carry the risk of serious criminal and civil penalties.”).
In a last-ditch effort to evade review, HHS argues the Revised Bulletin “is not sufficiently concrete to constitute the consummation of the agency's decisionmaking.” ECF No. 51 at 27. The Court agrees the Revised Bulletin lacks critical detail for HIPAA-covered entities. But numerous cases have held that guidance documents can't escape review merely because they're poorly written. For all its shortcomings, the Revised Bulletin unambiguously states the Department's stance vis-avis the Proscribed Combination as IIHI. See AR at 4-6. And even if subsequent enforcement actions would be judicially reviewable, the Hospitals “need not assume such risks while waiting for [HHS] to ‘drop the hammer' in order to have their day in court.” Hawkes Co., 578 U.S. at 600 (quoting Sackett, 566 U.S. at 127). Having found the Revised Bulletin consummates HHS decision-making vis-a-vis the Proscribed Combination, the Court must next ask whether it creates new legal rights, obligations, or consequences. See Rettig, 987 F.3d at 529.
2. The Revised Bulletin imposes new obligations regarding the Proscribed Combination.
Turning to the “new legal obligations” factor, the Court is unpersuaded by the Department's PR campaign for the Bulletins. HHS argues “[t]he Revised Bulletin is [] not final because it does not create any new legal rights or obligations.” ECF No. 51 at 27. Rather, HHS contends the Revised Bulletin “merely reiterates the Privacy Rule's longstanding restrictions” and “highlights certain other preexisting obligations.” Id. Big, if true.
As the Department notes, final agency actions “break[] new ground.” ECF No. 51 at 27. Simply put, plaintiffs can't sue the Government merely because it reminds them of preexisting obligations or of laws already on the books. Rettig, 987 F.3d at 529; see also Nat'l Pork Prods. Council v. EPA, 635 F.3d 738, 756 (5th Cir. 2011). Here, the Revised Bulletin doesn't frame the Proscribed Combination as a new rule, but as a way to “ensure [covered entities] are not . . . violat[ing] the Privacy Rule.” ECF No. 51 at 41. This is a subtle sleight of hand, as it substitutes one question (whether PHI can be disclosed to tracking technology vendors) for another (what counts as PHI collected by online tools). See ECF No. 60 at 19.
To state the obvious, the Hospitals and countless amici are not in federal court to advocate for their right to disclose IIHI. Rather, they challenge whether the Proscribed Combination fits that taxonomy. See ECF No. 1. Much hinges on that distinction. If the Proscribed Combination isn't IIHI, the Privacy Rule doesn't apply. On the other hand, if the Proscribed Combination constitutes IIHI, covered entities have a host of legal obligations to ensure HIPAA compliance. And if the Proscribed Combination is novel, as the Hospitals contend, then these legal obligations are necessarily new. In this regard, HHS takes a well-trod path: it's hard to change the law itself, but with creative lawyering it's possible to argue the law always required certain conduct. See, e.g., Bostock v. Clayton Cnty., Ga., 590 U.S. 644, 649-50 (2020) (ignoring the meaning of Title VII when written to argue “sex” incorporates the conceptually distinct notion of “gender identity”). But the proof is in the pudding, and the Hospitals point to four compelling signs that the Revised Bulletin imposes new obligations. See ECF No. 60 at 20.
First, HHS has never issued a pronouncement “construing the IIHI definition in the [ ] context of information collected by online technologies-let alone adopting the agency's new rule on the Proscribed Combination.” Id.; see AR at 4-7. Second, there's nothing close to unanimity between HIPAA-covered entities on this point. Id.; see AR at 347-49; ECF No. 26 at 26. Third, other courts have rejected HHS's interpretation. Id.; see ECF No. 51 at 44 (collecting cases). Fourth, like private-sector entities, “[i]t is undisputed that HIPAA-covered federal agencies are disclosing IIHI in violation of the Revised Bulletin's new rule.” Id.; see ECF No. 51 at 44-45. So the Proscribed Combination hasn't been announced before, isn't standard practice for covered entities, has been rejected by federal courts, and isn't followed by the government.
To be fair, noncompliance doesn't prove a law doesn't exist. See ECF No. 51 at 44-45 (“To the extent any federal agencies are [violating the Proscribed Combination] . . . the Revised Bulletin reminds them to protect that information . . . just as it does for regulated entities outside of the federal government.”). But at some point, one would expect a degree of compliance if the Proscribed Combination was already law- as is seen for HIPAA's numerous other requirements. See ECF No. 37 at 10-11. Indeed, the record reflects ubiquitous non-compliance with the Proscribed Combination among private and public entities who operate UPWs. See, e.g., AR at 347-49; ECF No. 26 at 26. Such widespread noncompliance is persuasive in the absence of any HHS pronouncement previously articulating the Proscribed Combination. See ECF No. 60 at 20. As a whole, these signs point to one conclusion: HHS tried to tweak the IIHI definition and got caught. With its hand in the cookie jar, the Department now backtracks. In doing so, it gaslights covered entities by arguing the Bulletins restate what the rule has been all along.
Review of the Revised Bulletin confirms the Hospitals' suspicions. True, HHS seemed to acknowledge the Original Bulletin went too far, as the Revised Bulletin confirms that the Proscribed Combination, by itself, does not constitute IIHI. See AR at 4 (“The mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not sufficient . . . to constitute IIHI.”). And it added an additional example to illustrate as much. See id. at 6 (discussing a hypothetical student interacting with a UPW for research purposes).
All else equal, the Revised Bulletin would fix the problem. But as the Hospitals note, all else isn't equal:
The agency's retreat does not go far enough, however, to fix the rule's fatal flaws. The Revised Bulletin's modified rule for what constitutes IIHI remains essentially the same. HHS only tweaked the Proscribed Combination to require that the identifiable individual's subjective reason for visiting the health-related public page must be related to his own health. Specifically, the Revised Bulletin states (with a double negative removed) that the Proscribed Combination “is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to [the] individual's past, present, or future health, healthcare, or payment for healthcare.” . . . But this subjective-motive gloss on the Proscribed Combination is a distinction without a difference.ECF No. 60 at 11-12; see also ECF No. 26 at 3-11. For a jargon-heavy topic like HIPAA, nomenclature matters. Taking a step back, one can see the Revised Bulletin appears to soften the Department's stance, see AR at 4-6, but effectively changes nothing regarding the operative nomenclature. The Original Bulletin said its IIHI when an online technology connects (1) an individual's IP address with (2) a visit to a UPW addressing specific health conditions or healthcare providers. See AR at 20-22. The Revised Bulletin says its IIHI when an online technology connects (1) an individual's IP address with (2) a visit to a UPW with the intent to address the visitor's specific health conditions or healthcare providers. See ECF No. 51 at 41.
Subjective intent aside, the Revised Bulletin only compounds the conundrum for covered entities. Indeed, covered entities must modify their behavior the same way under both Bulletins. A user's intent in visiting a UPW is unknowable. Thus, because HIPAA doesn't mandate clairvoyance, covered entities must act as if the Original Bulletin controls, i.e., as if the Proscribed Combination is per se IIHI. And the record is clear that covered entities have not been doing that. See AR at 347-49; ECF No. 26 at 26. Accordingly, the Proscribed Combination calls for a change to the status quo, a change only effectuated by new conduct from covered entities. If the Privacy Rule always applied in this context, that's news to countless covered entities in both the private sector and the federal government. See id.; see also ECF No. 60 at 20.
Recognizing the Proscribed Combination has not been followed, the Department says “it may be prudent” for covered entities to take measures that “prevent disclosures of non-IIHI.” Id. at 41. Why? Because that's the only way to stop “violation[s] of the Privacy Rule.” ECF No. 51 at 41. Break that down to see through the euphemism. The Department says certain actions “may be prudent” . . . “to ensure” . . . compliance with “the Privacy Rule.” But the Privacy Rule is a mandatory legal obligation. See 45 C.F.R. § 164.102. Thus, it's not just “prudent” to take actions to comply with it; its legally required. While it may be prudent, it's prudent the same way it's “prudent” to drive the speed limit. No reasonable juror could read the Revised Bulletin otherwise. See Liberty Lobby, 477 U.S. at 248. That leads to the second Bennett factor.
3. The Revised Bulletin imposes legal obligations regarding the Proscribed Combination.
Having found the Proscribed Combination imposes new obligations, the Court must next ask if those obligations are legal. See Bennett, 520 U.S. at 178. HHS says they aren't, for three reasons. First, the Revised Bulletin says they aren't. See ECF No. 51 at 28; see also AR at 11 (stating the document “do[es] not have the force and effect of law”). Second, the Revised Bulletin “merely expresses its view of what the law requires,” rather than articulating legal obligations per se. Id. Third, to the extent the Revised Bulletin creates legal consequences, they only come “after an investigation by OCR and a separate administrative enforcement proceeding.” See ECF No. 51 at 26. These arguments don't persuade.
The first argument fails because substance trumps titles. True, the Revised Bulletin ostensibly waives any “force and effect of law.” See AR at 11. But courts have long rejected a “magic words” approach that ignores the content of a law because it contains such a caveat. See, e.g., Azar v. Allina Health Servs., 587 U.S. 566, 575 (2019) (collecting cases) (“[C]ourts have long looked to the contents of the agency's action, not the agency's self-serving label.”). Indeed, this is the Department's argument against the Hospitals' non-APA claims. See ECF No. 51 at 33. The Department says the Hospitals “recast[] a garden-variety APA claim as a non-statutory equitable claim.” Id. at 31 (cleaned up). HHS thus asks the Court to look beyond titles to substance there while endorsing the opposite approach here. The Court is disinclined to do so.
The Department's first argument also renders the Revised Bulletin internally conflicted. On one hand, the document tells covered entities how to act vis-a-vis PHI in a new online context. See AR at 4. On the other, HHS bookends this guidance with the caveat that the Revised Bulletin should not “bind the public in any way.” AR at 11. So the Revised Bulletin tells covered entities how to act and then tells them not to base how they act on what it says. This tension is the natural byproduct of such “force-of-law waivers” on documents which, by their very nature, are designed to inform conduct. Substance trumps titles. See Texas v. Becerra, 89 F.4th 529, 535, 541 (5th Cir. 2024) (rejecting the title “reminder” when an HHS document “set out HHS's legal position-for the first time-regarding how [the law] operates”). And the substance of the Revised Bulletin dictates how covered entities must conduct their affairs regarding the Proscribed Combination.
The Department's second argument fails because HHS (through OCR) enforces HIPAA. See 42 U.S.C. § 1320d-5; 45 C.F.R. §§ 160.306, 160.308, 160.312, 160.314, 160.402. When an authority “expresses its view of what the law requires,” see ECF No. 51 at 28, the governed must behave accordingly. That's why the Department's reliance on Luminant Generation Co. v. EPA, 757 F.3d 439 (5th Cir. 2014) is misguided. The Fifth Circuit has stressed Luminant's applicability to non-compliance notices issued to a single company. See Becerra, 89 F.4th at 539. If an enforcement body “expresses its view” to Company A, Company B should probably pay attention. But the notice to Company A isn't legally operative as to Company B. See id.
Here, unlike Luminant, HHS has informed “[its] staff and all [covered entities] what sort of policy is unlawful.” Id. at 539 (citation omitted). The Revised Bulletin says UPW visits “do not result in a disclosure of PHI to tracking technology vendor[s] if the visit is not related to an individual's past, present, or future health, health care, or payment for healthcare.” AR at 6. Put differently, such visits do “result in a disclosure of PHI” if the visit is “related to an individual's past, present, or future health, health care, or payment for healthcare.” See id. This categorical applicability undermines the Department's argument. Indeed, in the very act of “expressing its view,” HHS articulated its stance on this new category of IIHI to all covered entities. And nothing in the Revised Bulletin could be read to suggest otherwise.
The Department's third argument fails because it's wrong. Even if an OCR investigation and enforcement action would be required for legal consequences, that fact does not rob the Revised Bulletin of legal effect. Rather, the Department's position reeks of Benthamite legal positivism, essentially equating the substance of a “legal obligation” with the State coercion needed to enforce it. An ordinance banning skateboards in the park doesn't become law only when a joyriding perp is apprehended. Much to Texans' chagrin, speed limits are still speed limits long before blue lights flash. And the Proscribed Combination is still a legal obligation even if “any legal consequences require an administrative enforcement proceeding . . . subject to judicial review.” ECF No. 51 at 28.
See generally David B. Lyons, Logic & Coercion in Bentham's Theory of Law, 57 CORNELL L. REV. 335, 338 (1971) (describing the logical predicate to Bentham's juridical theory: that “a legal system is equivalent to a set of commands which are essentially coercive”).
The Fifth Circuit's analysis in EEOC makes this clear. Here, HHS issued a guidance document stating the Proscribed Combination violates the Privacy Rule. See ECF No. 60 at 37. There, the EEOC issued a guidance document stating blanket bans on hiring individuals with criminal records violate Title VII. See EEOC, 933 F.3d at 437-38. The Privacy Rule doesn't change here; Title VII didn't change there. See Id. The change in both is what constitutes a violation. EEOC pointed to three considerations to determine if a “guidance document” constitutes legal action: (1) mandatory language, (2) restrictions on the agency's discretion to adopt a different view, and (3) the creation of safe harbors from legal consequences. See 933 F.3d at 441-43. Applied here, each indicates the Revised Bulletin creates legal obligations.
To start, the Proscribed Combination is worded in mandatory language. A document can be “mandatory” if “it either appears on its face to be binding[] or is applied by the agency in a way that indicates it is binding.” Texas v. United States, 809 F.3d 134, 171 (5th Cir. 2015). Before discussing PHI in the UPW context, the Bulletins remind covered entities they must “comply with the HIPAA Rules.” AR at 8. Fair enough. But HHS then tells covered entities they “must meet” certain conditions to comply with HIPAA in the previously unaddressed context of the Proscribed Combination. See id. The problem isn't the mandatory language itself, but its use in a new context.
The Revised Bulletin also limits HHS to a particular position regarding the Proscribed Combination, thus restricting its discretion to adopt a different view. See EEOC, 933 F.3d at 441-43. Sure, the Revised Bulletin says it isn't “meant to bind the public in any way.” See AR at 11; ECF No. 51 at 28. But “whether the agency action binds the agency indicates whether legal consequences flow from the action.” EEOC, 933 F.3d at 445. And the Revised Bulletin clearly binds HHS. See AR at 5. There is no “may” or “might” to it; the Revised Bulletin expressly states that the Privacy Rule applies to the Proscribed Combination. See id.
Given the Revised Bulletin's clarity, HHS can say the document isn't “meant to bind the public” all it wants. See ECF No. 51 at 13, 24, 28; AR at 11. By prescribing certain conduct to ensure covered entities are not violating the Privacy Rule, see ECF No. 51 at 41, the Revised Bulletin shows its cards. HHS will consider the Proscribed Combination (with the subjective-intent caveat) a violation. See id. And the second Bennett factor is met where, as here, the agency action “alter[s] the legal regime to which the action agency is subject.” Bennett, 520 U.S. at 178; see also Hawkes Co., 578 U.S. at 598 (quoting Bennett, 520 U.S. at 178) (finding finality where “[t]he definitive nature of [the agency action] gives rise to ‘direct and appreciable legal consequences'”).
The Court in Bennett addressed cases which reached the opposite conclusion. See id. (discussing Franklin v. Massachusetts, 505 U.S. 788 (1992) and Dalton v. Specter, 511 U.S. 462 (1994)). The Court's nonfinality finding in Franklin “was premised on the observation that the [action] carried ‘no direct consequences' and served ‘more like a tentative recommendation.'” Id. (quoting Franklin, 505 U.S. at 798). Here, the Revised Bulletin applies the Privacy Rule to the Proscribed Combination, a change with “direct consequences.” And applying the Privacy Rule to the Proscribed Combination isn't “a tentative recommendation” because the Privacy Rule isn't optional. See 45 C.F.R. § 164.102.
Similarly, the Court found the actions in Dalton were not final because they were “in no way binding” and the president “had absolute discretion to accept or reject them.” Bennett, 520 U.S. at 178 (quoting Dalton, 511 U.S. at 469-71). Here, notwithstanding the Revised Bulletin's “force-of-law” waiver, the document applies the Privacy Rule (which is binding) to the Proscribed Combination. AR at 11. And because the Privacy Rule is mandatory, any “discretion” afforded to covered entities amounts to a Hobson's choice. Thus, “affected private parties are reasonably led to believe that failure to conform will bring adverse consequences.” EEOC, 933 F.3d at 442. And the Revised Bulletin gives HHS no discretion to adopt a different view.
Finally, the Revised Bulletin enumerates legal safe harbors for covered entities. “Another indication that an agency's action binds it and thus has legal consequences or determines rights and obligations is whether the document creates safe harbors protecting private parties from adverse action.” Id. at 442. The Revised Bulletin explains precisely how covered entities must treat the Proscribed Combination-namely, as if it's IIHI-to ensure they aren't violating HIPAA. See AR at 1-17; see also ECF No. 51 at 13 (noting the Revised Bulletin “provide[s] additional clarity to regulated entities . . . about what types of disclosures to tracking technologies might reveal IIHI, [and] offer[s] advice about ways regulated entities can use tracking technologies and also comply with the Privacy Rule”). If covered entities fail to comply, HHS is bound by its position. Because the Department's hands are tied, the Revised Bulletin is as discretionary as compliance with the Privacy Rule itself. In other words, it's mandatory. Cf. Franklin, 505 U.S. at 798; Dalton, 511 U.S. at 469-71.
It's also worth noting that the moniker “guidance document” changes nothing. See EEOC, 933 F.3d at 446 (finding a guidance document created legal obligations where it “commit[ed] the agency itself to a view of the law that, in turn, force[d] the plaintiff either to alter its consequences, or expose itself to potential liability”); Becerra, 89 F.4th at 535 (same, for a rule mischaracterized as a “reminder”).One could query why executive rules and regulations are so abstruse they require numerous “guidance documents” to ensure compliance. Nevertheless, guidance documents play an important role for entities subject to a regulatory regime. See EEOC, 933 F.3d at 446. But they can also serve as a Trojan horse for bureaucrats changing the rules of the game. Here, to the extent the Revised Bulletin provides “guidance” on the Proscribed Combination, it provides guidance regarding mandatory legal obligations. See id. To hold otherwise, as the Hospitals note, would allow HHS to brandish a “sword of Damocles” above their heads. See ECF No. 60 at 21-22; see also Sackett v. EPA, 566 U.S. 120, 127 (2012) (noting such situations force regulated parties to alter their conduct or “wait for the Agency to drop the hammer”). A rose by any other name is still a rose, and a law by any other title is still a law.
HHS pushes back on the Hospitals' appeals to Becerra, a case which found a different HHS guidance document was a reviewable final action. See ECF No. 51 at 29-30 (discussing Becerra, 89 F.4th at 541). As HHS notes, “central to the court's analysis” was a “sea-change” in the law brought about by the Supreme Court's ruling in Dobbs v. Jackson Women's Health Org., 597 U.S. 215 (2022). See id. Given that change to the legal landscape, the document did more than restate the Department's position, it articulated a stance “regarding how EMTALA operates postDobbs.” Becerra, 89 F.4th at 541. While this case is different, the Hospitals' appeals to Becerra are still well received because what catalyzed the new position is irrelevant. What matters in each case is whether the challenged document “sets out HHS's legal position-for the first time-regarding how [the relevant statute] operates.” Id.
Try as it might, HHS cannot plausibly argue the Revised Bulletin “expresses a reasonable-and, indeed, correct-explanation” of conduct “HIPAA Rules have long required.” ECF No. 51 at 48. While it does “reiterate[] the Privacy Rule's longstanding restriction on the use and disclosure of PHI,” see id. at 27, it does more than that, too. In particular, it shoehorns a novel category of information into the inelastic definitional contours of “IIHI.” And because “[l]egal consequences [] flow from the Guidance, [] it determines rights and obligations.” EEOC, 933 F.3d at 446. In doing so, the Revised Bulletin is redolent of other “guidance documents” that imposed substantive legal obligations. Becerra, 89 F.4th at 541. This Court knows a law when it sees one, and the Proscribed Combination is a law. Thus, the Revised Bulletin is a “final agency action” subject to judicial review. See 5 U.S.C. § 704; Bennett, 520 U.S. at 178. The Court now turns to the merits of the Hospitals' challenge.
B. The HHS lacked authority to promulgate the Proscribed Combination.
The Court's finding that the Revised Bulletin imposes new legal obligations establishes jurisdiction under the APA but changes nothing. There's nothing wrong with imposing new legal obligations-executive agencies do that all the time. And the Court is not a tribunal to discuss the soundness of a given policy. See Nuziard v. Minority Bus. Dev. Agency,F.Supp.3d, 2024 WL 965299, at *5-6 (N.D. Tex. Mar. 5, 2024) (Pittman, J.). Rather, judicial review exists to ensure executive agencies promulgate new policies within the boundaries set by the Constitution and their enabling statute. See generally Ak. Dep't of Envt'l Conservation, 540 U.S. at 496-97. The APA provides an analytical framework to make this determination. See Chrysler Corp. v. Brown, 441 U.S. 281, 316 (1979).
The Hospitals argue the Proscribed Combination is both substantively and procedurally improper. See ECF No. 25. The briefs devolve into wide-ranging multiple-theatre combat on this point, but the Court's analysis need not. At base, the Hospitals argue the rule is improper because (1) HHS allegedly exceeded its authority in promulgating the Bulletins and (2) HHS allegedly violated the APA when doing so. See ECF No. 25 at 24-42. Their arguments under the APA are twofold, as the Hospitals contend (1) the Proscribed Combination is arbitrary and capricious and (2) the Proscribed Combination was promulgated without notice and comment. See id. at 35-42. As explained below, the Court need not address the Parties' contentions regarding HHS's “arbitrary and capricious” rationale or its failure to conduct notice and comment because the Proscribed Combination facially violates HIPAA's unambiguous definition of IIHI.
1. The Proscribed Combination falls outside the statutory definition of IIHI.
[A]n agency literally has no power to act . . . unless and until Congress confers power upon it.” La. Pub. Serv. Comm'n v. FCC, 476 U.S. 355, 374 (1986). HIPAA is extraordinarily expansive, so Congress gave HHS broad authority to promulgate rules and regulations to effectuate its mandates. See CHRIS D. LINEBAUGH & EDWARD C. LIU, CONG. RSCH. SERV., LSB10797, PROTECTION OF HEALTH INFORMATION UNDER HIPAA AND THE FTC ACT: A COMPARISON 1-5 (2022); see generally Mourning v. Fam. Pubs. Serv., Inc., 411 U.S. 356, 376 (1973) (noting the objective in delegating such broad authority “is to relieve Congress of the impossible burden of drafting a code explicitly covering every conceivable future problem”). But the Department's authority isn't absolute, and the Proscribed Combination goes too far.
That HHS lacked authority to promulgate the Proscribed Combination is unsurprising, as our nation's bureaucratic apparatus would give Hobbes' Leviathan a run for its money. Indeed, few are the facets of modern life untouched by the federal government's administrative machinery, which is as sophisticated as it is complex. We've drifted from the founders' intent, but that's not the only problem. Another, as Hobbes and the founders foresaw, is the tendency of large bureaucracies to self-perpetuate, emboldened by each successive ultra vires action. As the old saying goes, “give an inch, they'll take a mile.” And HHS has taken a mile. See ECF No. 25 at 24 (“[T]he threshold problem with the Bulletin is also the most fundamental: The Bulletin's new rule exceeds HHS's authority under HIPAA.”).
See, e.g., THE FEDERALIST NO. 45 (James Madison) (Clinton Rossiter ed., 1961) (“The powers delegated by the Constitution to the Federal Government are few and defined [and should be] . . . exercised principally on external objects such as war, peace, negotiation, and foreign commerce.”) (emphasis added); Letter from Thomas Jefferson to Thomas Cooper (Nov. 29, 1802), available at NATIONAL ARCHIVES, https://founders.archives.gov/documents/Jefferson/01-39-02-0070 (“The path we have to pursue is so quiet that we have nothing scarcely to propose [to Congress]. A noiseless course, not meddling with the affairs of others, unattractive of notice, is a mark that society is going on in happiness.”).
HHS may enforce the Privacy Rule as it pertains to IIHI. See 45 C.F.R. § 160.103; 42 U.S.C. § 1320d(6). As noted, IIHI is unambiguously defined as PHI that (1) “relates to” an individual's “past, present, or future physical or mental health or condition,” the individual's receipt of “health care,” or the individual's “payment for” healthcare; and (2) “identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” 42 U.S.C. § 1320d(6). Put another way, PHI becomes IIHI if two conditions are met:
(1) the PHI relates to the individual's “past, present, or future physical or mental health or condition,” their receipt of healthcare, and/or their payment for healthcare; and
(2) the PHI “identifies” the individual or could reasonably “be used to identify” them.See id. The definition is inclusive, meaning information must satisfy both the “relates to” clause and the “identifies” clause to be classified as IIHI. Id.; see also ECF No. 25 at 25 (“Accordingly, even where information relates to some individual's health, healthcare, or payment for healthcare, a covered entity may disclose the information so long as it cannot reasonably be used to identify that particular individual.”) (collecting examples). The Proscribed Combination fails both on its face.
i. The Proscribed Combination fails the “relates to” prong.
As noted, the Revised Bulletin repackages the Original with a subjective-intent gloss. See AR at 6. But HHS cannot require covered entities to perform the impossible. Thus, even if a UPW's metadata could identify a particular individual, “[t]hat information cannot become IIHI based solely on the visitors' subjective motive for visiting the page.” ECF No. 60 at 38. The Hospitals' brief discusses two hypotheticals to illustrate this point:
Even assuming (without conceding) that such information may provide a reasonable basis for identifying the persons who visited the webpage-say, that John Smith visited a page for booking dialysis appointments, or Mary Jones visited a page about the onset of Alzheimer's disease-that establishes nothing. There are many generic reasons why they may have visited such pages, entirely unrelated to the health, healthcare, or payment for healthcare of any particular individual (e.g., they could be public-health researchers or hospital employees). In addition, even if their visits were related to some individual's healthcare needs, they could have been acting for family members, friends, or countless other third parties. And their IP addresses provide no reasonable basis to determine otherwise. Without contesting any of this, HHS baldly asserted that the Proscribed Combination is “indicative” of the visitor's own health status or treatment, [] but any such inference drawn from internet metadata falls far short of what the IIHI definition requires, as courts have recognized.ECF No. 25 at 11-12. HHS refutes this argument by noting such information could be “indicative” of Mr. Smith's and Ms. Jones's PHI. See ECF No. 51 at 41-42. But that's not enough. Indeed, as the Hospitals contend, “[t]his conclusory rationale would eviscerate the express limits on the IIHI definition.” ECF No. 25 at 26.
HHS says it's “common sense” that “some users who visits these webpages . . . are doing so to learn information about their own medical conditions, to inquire about specific medical practices or providers for the purpose of obtaining healthcare, to actually obtain an appointment with a particular provider, or for other reasons related to their own healthcare.” ECF No. 41 at 40. The Court does not disagree. Indeed, the Court wouldn't disagree if HHS argued most people visit for those reasons. But that's not what HIPAA requires. In any event, Congress only included the “reasonable basis” qualifier for the identification prong. See 45 C.F.R. § 160.103; accord 42 U.S.C. § 1320(6). The Bulletins took that qualifier and ran with it, inserting it into the first prong and adding an atextual “indicative” gloss to boot.
The “indicative” gloss aside, unambiguous legislative text must control. As it pertains to IIHI, the text says what it says and doesn't say what it doesn't say. The IIHI definition explicitly states the PHI in question must “relate[] to” a listed category of information. See 42 U.S.C. § 1320d(6). You don't have to read tea leaves to divine what that means. Congress could have said “may relate to.” It could have said “might relate to.” It could have said “relates to or is indicative of.” It didn't. Thus, without knowing a particular query relates to a category of information in Section 1320d(6), metadata from a UPW search cannot constitute IIHI. See 45 C.F.R. § 160.103; 42 U.S.C. § 1320(6). To hold otherwise would empower HHS and other executive entities to take increasingly expansive liberties with the finite authority granted to them. The Court is disinclined to set that precedent here.
ii. The Proscribed Combination fails the “identifies” prong.
The Proscribed Combination fares no better on the “identifies” clause. The Department acknowledges that “tracking technologies on [UPWs] may collect identifying information from users who are not visiting the webpage for their health care needs.” ECF No. 51 at 41. Nevertheless, it notes “identifying information about users who are visiting the webpage for their healthcare needs constitutes IIHI.” Id. The Hospitals don't disagree with the foundational premise. See ECF No. 60 at 49-50 (“Under the Revised Bulletin, the information that is actually collected and transmitted in not itself [PHI] (the metadata showing the mere fact that an identifiable individual visited a health-related page, but not the reason for the visit), and the information that might actually be [PHI] is not collected and transmitted at all (whether the individual's reason for visiting the page was related to his own health).”). The issue is that the Proscribed Combination does not and cannot identify an individual or the individual's PHI without an unknowable subjective-intent element-an element not countenanced by the controlling statutory text.
As the Hospitals rightly note, “IIHI is limited to information that is related to a specific person's health and [is] reasonably capable of being used to identify that person-such as, for example, unredacted patient records or billing statements.” ECF No. 25 at 13-14. The Department acknowledges that the Proscribed Combination does not, in itself, “identify” the individual searcher and their condition. See ECF No. 51 at 41. But the Department nevertheless insists the Proscribed Combination is proper, emphasizing the “reasonably” caveat appended to this prong. See id.; see also 42 U.S.C. § 1320d(6)(B) (noting PHI can become IIHI if it provides “a reasonable basis” to believe the information “can be used to identify the individual”).
Appeals to this “reasonable basis” language cannot save the Proscribed Combination. To be fair, reasonableness is in the eye of the beholder. It's a lax standard, and HHS should be afforded deference in determining what's “reasonable” in most circumstances. See, e.g., United States v. Mead Corp., 533 U.S. 218, 227 (2001); United States v. Morton, 467 U.S. 822, 834 (1984); Chevron, USA, Inc. v. Nat. Res. Def. Council, Inc., 467 U.S. 837, 843-44 (1984). But such deference does not give HHS interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA's text. And “reasonable basis” must mean something. And whatever it means, it assuredly does not include information that, at most, supports an “inference” of identification. The Court agrees with its numerous sister courts who have reached that conclusion.
See, e.g., Smith v. Facebook, Inc., 745 Fed.Appx. 8, 9 (9th Cir. 2018) (“Put simply, the connection between a person's browsing history and his or her own state of health is too tenuous to support Plaintiffs' contention that the disclosure requirements of HIPAA . . . apply.”); Kurowski v. Rush Sys. for Health, 683 F.Supp.3d 836, 843 (N.D. Ill. 2023) (“By contrast, [Plaintiff's] allegations are far too vague to allow an inference to be drawn that [Defendant] was actually disclosing IIHI as it is unambiguously defined by HIPAA, rather than just metadata.”); Hartley v. Univ. of Chi. Med. Ctr., No. 22-c-5891, 2023 WL 7386060, at *2 (N.D. Ill. Nov. 8, 2023) (citing Smith, 745 Fed.Appx. at 9) (rejecting argument that metadata as discussed in the Revised Bulletin could be IIHI because plaintiff couldn't show “any particular health or treatment information disclosure specific as to them that [Defendant] allegedly made to any third-party whether within the portal or not”).
The Department's problems run even deeper on this point. The IIHI definition applies to information that “is created or received by a health care provider, health plan, employer, or health care clearinghouse.” 42 U.S.C. § 1320d(6). It's uncontested that information in the Proscribed Combination is user-generated, though it is “received” by one or more of the above entities. However, upon receiving the relevant metadata, the recipient could not “reasonably use” the data to identify an individual or their health condition. That's because, as the Department concedes, there's a missing ingredient of subjective intent. See AR at 4. And that information is not received. Put simply, “[t]hat information cannot become IIHI based solely on the visitors' subjective motive for visiting the page, which is not information that the Revised Bulletin requires the healthcare provider or third-party vendor to receive at all.” ECF No. 60 at 38. Thus, even after multiple speculations, the Proscribed Combination could never fit HIPAA's definition of IIHI.
Giving HHS the benefit of the doubt, suppose a UPW visitor's query related to someone's healthcare. Suppose further that their query related to their healthcare. Without knowing information that's never received-i.e., the visitor's subjective motive-the resulting metadata could never identify that individual's PHI. Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B). If a covered entity's UPW greets visitors with a dropdown box requesting their subjective motive for visiting the page, that would be one thing. The Department can and should remind covered entities that the Privacy Rule would apply in those circumstances. But absent such an admittedly bizarre scenario, the Proscribed Combination cannot become IIHI as unambiguously defined.
The above conclusion is far from novel. Indeed, covered entities have long been allowed to disclose PHI that does not identify the particular individual. See 45 C.F.R. § 164.514(a) (noting that, after “deidentification,” PHI “is not [IIHI]”). The Department now seeks to reverse that, ignoring the inherently de-identified nature of relevant metadata and insisting such information should be treated as IIHI. See ECF No. 51 at 41. Thus, if enforced, the Proscribed Combination would turn provisions like 45 C.F.R. § 164.514(a) on their head. Federal courts have already recognized as much. See supra n.7.
To conclude, the law is clear that “[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify the individual is not [IIHI].” See 45 C.F.R. § 164.514(a). At summary judgment, the Court must give HHS every reasonable benefit of the doubt. Cunningham, 64 F.4th at 600. Having done so, the closest the Proscribed Combination gets to IIHI is a speculative inference extrapolated from (but unsubstantiated by) collected metadata. Because the Proscribed Combination facially exceeds HIPAA's unambiguous text, the Court need not consider the Parties' other APA arguments.
No matter how sound the Proscribed Combination may be as a matter of policy, it is improper as a matter of law. Thus, for the above reasons, the Court must GRANT the Hospitals' request for declaratory relief. ECF No. 1 at 22. The Court now turns to their additional requests for vacatur and a permanent injunction.
C. Vacatur is the more appropriate equitable remedy under the circumstances of this case.
The Hospitals ask the Court to declare the Proscribed Combination unlawful, vacate it, and permanently enjoin its enforcement. See Id. Having granted declaratory judgment, the Court now takes up their requests for equitable relief. In doing so, “[t]he Court notes that Plaintiffs don't get [injunctive relief] just because they got a declaratory judgment.” Nuziard, 2024 WL 965299, at *44 (collecting cases). As explained below, vacatur is the more appropriate remedy here.
1. The Department should not be enjoined from enforcing the Proscribed Combination.
The Hospitals seek an injunction to mitigate the risk that they are penalized for noncompliance with an unlawful law. See ECF No. 1 at 22. But an injunction “is not a remedy which issues as of course.” Harrisonville v. WS. Dickey Clay Mfg. Co., 289 U.S. 334, 337-38 (1933). Indeed, injunctions have long been considered a “drastic and extraordinary remedy.” Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 165 (2010). To warrant injunctive relief, the Hospitals must show:
(1) that [they have] suffered an irreparable injury; (2) that remedies available at law, such as monetary damages, are inadequate to compensate for that injury; (3) that, considering the balance of hardships between the plaintiff and defendant, a remedy in equity is warranted; and (4) that the public interest would not be disserved by a permanent injunction.eBay, Inc. v. MercExchange, LLC, 547 U.S. 388, 391 (2006). And they must “clearly carry[] the burden of persuasion on all [four] elements.” Bluefield Water Ass'n, Inc. v. City of Starkville, Miss., 577 F.3d 250, 253 (5th Cir. 2009). They fail to do so. Specifically, they win on factors two through four, but lose on factor one.
To start with the wins, the Hospitals show inadequacy of legal remedies. See eBay, 547 U.S. at 391. Because they sue the government, money damages are off the table. See Wages & White Lion Invs., LLC v. FDA, 16 F.4th 1130, 1142 (5th Cir. 2021). That's a win for factor two. eBay, 547 U.S. at 391. And factors three and four “merge when the Government is the opposing party.” Nken v. Holder, 556 U.S. 418, 435 (2009). As applied to the Parties themselves, the Court “looks to the relative harm to both parties if the injunction is granted or denied.” Def. Distrib. v. U.S. Dept' of State, 838 F.3d 451, 460 (5th Cir. 2016). A denied injunction leaves the Hospitals in limbo to face potential enforcement of an invalid law. A granted injunction merely stops HHS from enforcing one improper subset of a guidance document issued three months ago.
On balance, private hardships favor the Hospitals-public interests even more so. The importance of digital healthcare information has grown by orders of magnitude since the COVID-19 pandemic. See ECF No. 35 at 31-32. As thoroughly detailed in amicus briefs, the Proscribed Combination would “undermine[] the joint efforts of Hospitals and the Government to modernize healthcare.” Id. at 31 (cleaned up). If enforced, the Proscribed Combination would have a profound chilling effect on providers' use of technology vendors to facilitate critical UPWs. See id. While healthcare providers can “host websites and patient portals without using any third-party analytics . . . it serves nobody to have websites that patients do not know and cannot navigate effectively.” Id. at 33.
To be fair, the OCR has seen a surge of complaints from citizens concerned about IIHI in this context. See AR at 1-17. But as noted above, metadata shared with third-party vendors can only reveal sensitive PHI if an unknown subjective intent is communicated. In the pre-Revised Bulletin status quo, healthcare providers have been “constantly vigilant to protect the confidentiality of their patients' [IIHI].” ECF No. 37 at 10. Indeed, “HIPAA compliance is woven deep into hospital operations, with implications for every way in which hospitals interact with patients or patients' medical information.” Id. at 10-11. The Proscribed Combination fails to improve upon these current privacy protections while jeopardizing the dissemination of important healthcare information to the masses. See id. at 14-20.
In most cases, the avoidance of improper laws is “the highest public interest at issue.” Def. Distrib., 838 F.3d at 460. That interest is implicated here. See supra pp. 25-26. But it's the penultimate interest for this case given the significant public-health considerations discussed above. See Roman Catholic Diocese of Brooklyn v. Cuomo, 492 U.S. 14, 19-20 (2020) (noting public health is paramount in injunctive-relief analyses). Yet despite these decisive victories, the Hospitals must “clearly carry[] the burden of persuasion on all elements” to obtain a permanent injunction. Bluefield Water Ass'n, 577 F.3d at 253. And they fail to do so for factor one.
An irreparable injury is a sine qua non for injunctive relief. See Id. As noted, the Hospitals can't get damages here. See Wages & White Lion Invs., 16 F.4th at 1142. That ordinarily indicates a harm is irreparable. See Sampson v. Murray, 415 U.S. 61, 90 (1974) (“The key word in in this consideration is irreparable. Mere injuries, however substantial, . . . are not enough. The possibility that adequate compensatory or other relief will be available at a later date . . . weighs heavily against a claim of irreparable harm.”). But hiding in plain sight is the “or other relief” language in Murray. See id. As explained below, other relief can remedy the Hospitals' injury-namely, a declaratory judgment coupled with vacatur. Thus, the Hospitals do not show a permanent injunction is the only remedy that could address their injury. Because they fail to make that showing, they do not carry their burden in seeking such an “extraordinary and drastic” remedy. Monsanto, 561 U.S. at 165. The Court must DENY their request accordingly. See ECF No. 1 at 22.
2. The Proscribed Combination should be vacated.
As discussed, the Hospitals seek both a permanent injunction and vacatur. See id. While it's not impossible to get both, the Court must always consider the “least severe” equitable remedy to resolve a plaintiff's harm. See Nuziard, 2024 WL 965299, at *44-49 (collecting cases); see generally O'Donnell v. Harris Cnty., 892 F.3d 147, 155 (5th Cir. 2018) (noting an equitable remedy must be “narrowly tailored to the injury it is remedying”). And while this Court doubts the APA intended to authorize vacatur, see Nuziard, 2024 WL 965299, at *41-44, the Fifth Circuit's “ordinary practice is to vacate unlawful agency action.” Data Mktg. P'ship, LP v. U.S. Dep't of Lab., 45 F.4th 846, 859 (5th Cir. 2022).
The Proscribed Combination is unlawful. See supra pp. 25-26; see also 5 U.S.C. § 706 (empowering courts to “set aside” unlawful agency actions). Between alternatives, vacatur is less severe on HHS but still remedies the Hospitals' harm. See Texas v. United States, 40 F.4th 205, 219 (5th Cir. 2022) (citing Monsanto, 561 U.S. at 165) (“There are meaningful differences between an injunction, which is a ‘drastic and extraordinary remedy,' and vacatur, which is ‘a less drastic remedy.'”). While plaintiffs need more than a perfunctory analysis to justify vacatur, the controlling doctrinal framework is more forgiving than it is for an injunction. See id. Vacatur is also less severe as applied to the relevant agency. See id. Thus, the Court endorses the Fifth Circuit's standard practice here. See Data Mktg. P'ship, 45 F.4th at 859. The Hospitals say vacatur is warranted because the continued presence of an unlawful rule on the books will undermine any effectual relief the Court could render. See ECF No. 59 at 58. The Court agrees, especially considering “vacatur does nothing but re-establish the status quo absent unlawful agency action.” Texas, 40 F.4th at 220. As such, “[a]part from the constitutional or statutory basis on which the court invalidated an agency action, vacatur neither compels nor restrains further agency decision-making.” Id.
The Hospitals point to a recent case where this Court exercised its equitable discretion to deny vacatur in favor of an injunction. See ECF No. 59 at 57-58 (discussing Nuziard, 2024 WL 965299, at *43-44). In Nuziard, the Court denied vacatur under Section 706 “[b]ecause a declaratory judgment an injunction [were] more clearly authorized . . . and [would] remedy Plaintiff's injuries.” 2024 WL 965299, at *43. Central to that determination was a desire to issue the least restrictive equitable remedy. See id. That consideration supports the opposite conclusion here. Nuziard involved the implementing legislation of a nationwide executive agency. See id. The plaintiffs challenged a racebased benefits presumption that was baked into the very fabric of the agency. See id. Thus, vacatur doubts aside, an injunction was less severe in that case and would result in less flux for interested parties. An injunction stopped the agency from implementing the unconstitutional racial presumption. Because the presumption was built into the agency's structure, vacating every provision containing the presumption would be an administrative fiasco and would effectively implode the agency. See id.
The inverse is true here. Without minimizing the Proscribed Combination's consequences, this case involves a straightforward challenge to a single rule issued in a single guidance document. See ECF No. 1. Because the Proscribed Combination is not central to HHS and its implementing legislation, vacatur will have less drastic consequences here that it did in Nuziard. Indeed, the Court can envision numerous solutions that would reduce regulatory flux while ensuring IIHI is protected moving forward. Thus, because the Fifth Circuit prefers vacatur for unlawful agency actions, see See Data Mktg. P'ship, 45 F.4th at 859, and because no case-specific considerations indicate the Court should deviate from that practice, the Court must GRANT the Hospitals' request for vacatur under 5 U.S.C. § 706. ECF No. 1 at 22.
CONCLUSION
It's easy for eyes to glaze over at a thirty-page opinion discussing the administrative esoterica accordant with HIPAA compliance. But this case isn't really about HIPAA, the Proscribed Combination, or the proper nomenclature for PHI in the Digital Age. Rather, this is a case about power. More precisely, it's a case about our nation's limits on executive power. In the grand scheme, the Revised Bulletin is one small guidance document among countless others issued by HHS and other executive entities. But a wise Man once said that “one who is faithful in a very little is also faithful in much, and one who is dishonest in a very little is also dishonest in much.” Luke 16:10 (ESV). While the Proscribed Combination may be trivial to HHS, it isn't for covered entities diligently attempting to comply with HIPAA's requirements. And even small executive oversteps can compound over time, resulting in larger transgressions down the road. Accordingly, for the reasons above, the Court GRANTS in part and DENIES in part the Hospitals' Motion for Summary Judgment. ECF No. 24.
The Court GRANTS the Hospitals' request for declaratory judgment and DECLARES that the Proscribed Combination, as set forth in the HHS Bulletin of March 18, 2024, is UNLAWFUL, as it was promulgated in clear excess of HHS's authority under HIPAA. See La. Pub. Serv. Comm'n, 476 U.S. at 374. While the Court DENIES the Hospitals' request for a permanent injunction, it GRANTS their request for vacatur and ORDERS that the Proscribed Combination be VACATED.
Such vacatur is not intended to, and should not be construed as, limiting the legal operability of other guidance in the germane HHS document.
SO ORDERED