AHA v. Becerra — the case that narrowed the OCR Tracking Technologies Bulletin

What the AHA challenged

The American Hospital Association filed suit in November 2023, joined by the Texas Hospital Association and several individual hospital systems. They argued that the OCR bulletin had three problems:

First, that OCR had improperly issued substantive law through a guidance document instead of going through formal rulemaking under the Administrative Procedure Act.

Second, that OCR's expansive definition of PHI — including IP addresses on unauthenticated webpages — went beyond the statutory definition in HIPAA.

Third, that compliance was practically impossible because the same conduct was both required (for marketing transparency) and prohibited (under OCR's reading).

What the court decided

The judge agreed with the AHA on one specific point and rejected the rest.

The point the court agreed on: OCR's position that an IP address combined with a generic healthcare URL — on an unauthenticated page where the visitor's intent was unclear — could count as PHI exceeded the agency's authority. The judge held that the statutory definition of PHI requires the information to relate to a specific individual's healthcare, and you can't presume that from a stranger visiting a public webpage about a general health topic.

The court vacated that portion of the bulletin specifically.

The points the court rejected: OCR was within its authority to issue interpretive guidance through bulletins; the bulletin's overall framework wasn't unconstitutional; OCR's positions on authenticated pages and on clearly clinical-context pages were not vacated.

What's still in effect after the ruling

Most of the bulletin. Specifically:

The OCR position that PHI on authenticated pages (patient portals, logged-in MyChart, mobile apps with logged-in users) is fully covered by HIPAA. This was never challenged successfully.
The OCR position that pages with explicit clinical context (specific condition pages, find-a-doctor with criteria, scheduling flows) can produce PHI disclosures even on the public web. The court's ruling specifically addressed only "unauthenticated public webpages with no clear clinical-context indication."
The general framework that disclosing PHI to third-party trackers without a BAA and without authorization violates HIPAA.
The OCR position that hashed identifiers and aggregated data don't escape PHI status.

What's vacated

A narrower slice than most marketing teams assume.

OCR can no longer treat IP addresses on truly generic, unauthenticated pages as PHI when the visitor's intent is ambiguous.
The example the court used was a generic webpage about diabetes that anyone might visit — patient, family member, researcher, journalist, curious teenager. OCR can't presume the visit was about that visitor's own healthcare.

Why hospitals often misread the ruling

We see three common misreadings.

First, that "the OCR bulletin is dead." It isn’t. It was narrowed in a specific way and survives in nearly all of its applications.

Second, that "we can put pixels back." Only on truly generic marketing pages with no clinical context. Anything with specific medical content, anything in a flow that leads to scheduling or contact, anything inside a portal — still in scope.

Third, that "the class actions are over." They aren't. Class actions don't depend on OCR's bulletin. They use HIPAA as a standard of care for state-law wiretap, privacy, and contract claims. Those claims are unaffected by the ruling. The MDL against Meta with 664+ hospitals continues; settlements continue; new filings continue.

What changed in practice

For hospital websites, very little. The pages where pixels actually pose risk — clinical content, scheduling, find-a-doctor, patient portals — are all still covered. The pages where the AHA ruling helps — generic informational pages, "About Us," "Our Mission" — were lower-risk to begin with.

For OCR's enforcement priorities, somewhat more. OCR has continued to investigate and settle tracking-related cases since the ruling, but the agency has been careful to focus on authenticated pages and clearly clinical contexts.

For class action plaintiffs, almost nothing. The state-law theories don't depend on OCR's authority and the case pipeline has continued to grow.

Primary sources and citations

American Hospital Association v. Becerra, N.D. Tex. Case No. 4:23-cv-01110, Memorandum Opinion and Order, June 20, 2024. HHS OCR, "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," Dec 1, 2022; revised Mar 18, 2024.

This article is general information, not legal advice. Talk to a healthcare attorney about your specific situation.

AHA v. Becerra — the case that narrowed the OCR Tracking Technologies Bulletin

What the AHA challenged

What the court decided

What's still in effect after the ruling

What's vacated

Why hospitals often misread the ruling

What changed in practice

Related articles in the Knowledge Center.

The OCR Tracking Technologies Bulletin in 800 words

Authenticated vs. unauthenticated pages, and why your HIPAA risk depends on it

What counts as PHI on your website

Find what an underwriter or plaintiff firm would find. In 60 seconds.