Court Ruling on HHS Data Sharing: Key Implications for Behavioral Health Providers

A federal judge reeled back regulations prohibiting health care providers’ use of third-party tracking technologies, a move that has previously embroiled behavioral health providers.

The ruling concluded that the U.S. Department of Health and Human Services (HHS) bulletin establishing guidance on potential privacy concerns “went too far.”

The American Hospital Association (AHA) and three other provider groups jointly filed the lawsuit against HHS’ Office for Civil Rights (OCR) in November.


“For more than a year, the AHA has been telling the Office for Civil Rights that its “Online Tracking Bulletin” was both unlawful and harmful to patients and communities,” Chad Golder, AHA’s general counsel and secretary, told Behavioral Health Business in a statement. “We regret that we were forced to sue OCR, but we are pleased that the Court agreed with the AHA and held that OCR does not have “interpretive carte blanche to justify whatever it wants irrespective of violence to HIPAA’s text.”’

The HHS OCR declined to comment on this matter.

The HHS bulletin was originally instituted in December 2022 and later revised with softened language. Prior to being struck down, it did not allow providers to use tracking technology to disclose protected health information (PHI) to third parties.


The AHA and other plaintiffs asked the judge to declare the bulletin unlawful, vacate it and permanently enjoin its enforcement. The judge broadly agreed with the plaintiffs but did not permanently enjoin the bulletin because the plaintiffs did not demonstrate that the injunction was the “only remedy that could address their injury.”

A study published in Health Affairs found that 98.6% percent of hospital websites use third-party tracking. The study’s authors noted this practice can lead to “dignitary harms” when third parties, like social media companies, have access to sensitive health information a person would otherwise not share.

Behavioral health providers have also implemented third-party tracking, and data-sharing regulations have previously scalded multiple of these providers.

Teladoc Health (NYSE: TDOC) subsidiary BetterHelp was ordered to pay $7.8 million in a settlement related to allegations the company shared sensitive health information with third parties.

The Federal Trade Commission (FTC) also announced that it would ban BetterHelp from data sharing for advertising purposes.

Virtual alcohol use disorder treatment provider Monument was caught in a similar net in April. The FTC ordered Monument to pay $2.5 million over allegations that the company sent data to tech companies including Amazon, Google and Reddit. The fine was reversible if Monument provided the FTC with correct financial information.

Mental health startup Cerebral admitted to using tracking technologies since the company’s inception in March 2023. The company disclosed patient information that could include contact and demographic data, answers to a mental health quiz, course of treatment, health insurance member number and other health information.

Cerebral was fined $15 million in a settlement with the FTC in April.

Health care providers will have more data tracking flexibility in the wake of the judge’s decision, according to the AHA.

“As a result of this decision, hospitals and health systems will again be able to rely on these important technologies to provide their communities with reliable, accurate health care information,” Golder said.

Companies featured in this article: