A recent report from law firm BakerHostetler shows the legal risk healthcare faces from using third-party tracking pixels and web analytics tools.
What happened
Using third-party web technologies in healthcare has resulted in a surge of lawsuits. Over 200 lawsuits have been filed against healthcare organizations, with 75 percent filed in 2023 alone. This legal action is primarily centered around concerns regarding patient privacy and the transmission of sensitive data to third parties. The issue came to light in June 2022 when it was discovered that many top hospitals in America had the Meta Pixel embedded on their websites, raising alarm bells regarding patient privacy.
Most of the lawsuits are still at the initial pleadings stage, although some have reached settlements. One case has been granted class certification, and another has been denied. The trial for the action with class certification is scheduled for this summer, and its outcome will likely set a precedent for defense strategies in other class actions against healthcare entities.
Going deeper
Simultaneously, the American Hospital Association (AHA) has taken legal action against the HHS Office for Civil Rights (OCR) over its bulletin on tracking technology. The AHA argues that the bulletin exceeds the government's authority, fails to satisfy the requirements for agency rulemaking, and harms the people it claims to protect. A major point of contention is OCR's stance that an IP address accessing a HIPAA-covered entity's website constitutes protected health information.
Despite pushback, OCR released an updated bulletin in March 2024 reaffirming its position on IP addresses as PHI. This development has forced many healthcare organizations to remove all third-party technologies from their websites while they search for alternatives to maintain website functionality without compromising patient privacy. However, this task is not without its challenges, as IP addresses are a major component for the internet to function.
What was said
BakerHostetler’s report says, “The OCR is asking covered entities to read the minds of visitors to their public websites to ascertain why they’re there, and then decide whether they can use tracking technologies on the page for that particular visitor, further demonstrating the OCR’s unfamiliarity with how these technologies work.”
In the know
Besides the ongoing lawsuits, BakerHostetler's report also shows OCR's enforcement actions and focus areas. In 2023, OCR settled four right-of-access cases, a big decline from the 16 cases resolved in 2022. The office also issued four enforcement actions related to hacks, compared to two in the previous year. Furthermore, OCR issued 14 resolution agreements in 2023, down from 21 in 2022. This shift in enforcement priorities suggests a potential change in resource allocation or a shift in focus to other enforcement issues.
Farah Amod
