Avoiding Enforcement Actions and Lawsuits From the Use of Tracking Technology on Health Care Provider Websites, Applications

This article was written and published for Law.com.

Meta’s Pixel is an amazing marketing tool. It is an analytical tool that allows businesses to track their website visitors’ activities. Ultimately, it helps identify Facebook and Instagram users and see how they interacted with the content on websites. This information can be used to target people with ads based on interests, preferences and their online behavior. It also allows businesses to track ad performance. Each time a person visits a website, Pixel sends Facebook and Instagram the information about who is visiting the website and the actions they are taking on the website. Every health care provider should be considering the benefits and risks of using Pixel and how to mitigate that risk.

Pixel is also responsible for tens of millions of dollars of settlements in the health care industry. A 2022 study by The Markup found that 33 of the top 100 hospitals in America were using Pixel and sending Facebook information whenever a person clicked a button to schedule a doctor’s appointment. The study also determined that seven of the health systems surveyed also had Pixel installed inside password-protected patient portals. Those statistics make clear that lawsuits over the use of Pixel to capture Protected Health Information (PHI) will be expanding.

Currently, Meta is facing more than 50 class action lawsuits. Moreover, Congress has begun an inquiry into telehealth companies sharing patients’ answers to medical intake questions with social media providers, including Meta. Pixel is not the only player in this field. There are also ongoing lawsuits alleging that the use of tracking vehicles from Meta, Google, TikTok and more, violate the federal Video Privacy Protection Act (VPPA) and may constitute wiretapping under both federal and state wiretapping laws.

The Regulatory and Litigation Landscape

The Department of Health and Human Services’ Office of Civil Rights (OCR), which is responsible for enforcing HIPAA, issued a December 2022 bulletin stating that “regulated entities are not permitted to use tracking technologies that would result in impermissible disclosures of [PHI] to tracking technology vendors.” The bulletin asserted that individual IP addresses are considered unique identifiers, in the same way that patient account numbers are considered PHI. OCR’s bulletins are not binding law, but instead should only be seen as regulatory guidance for the current state of the law. However, these bulletins are responsible for setting best practices for health care providers.

In July 2023, the Federal Trade Commission (FTC) and OCR sent a joint letter to nearly 130 hospital systems and telehealth providers, warning them about privacy risks from online tracking technology. The letter reiterated risks posed by unauthorized disclosure of PHI to third parties and the responsibility entities covered by HIPAA have to protect this information under the law. These letters are often admissible in litigation to prove that providers were on notice that their conduct violated HIPAA.

The FTC then moved from sending notice letters to bringing enforcement actions. GoodRx paid a $1.5 million civil penalty to resolve the enforcement action against it. BetterHelp paid $7.8 million and PreMom paid $100,000. In addition, these companies had to agree to various requirements for their businesses moving forward including being:

• • Permanently prohibited from sharing user personal health data with third parties for advertising;
  • Required to obtain user consent before sharing personal health data with third parties for other purposes;
  • Required to seek deletion of data it shared with third parties; Required to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
  • Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

State attorney generals have also entered the fray. In December 2023, New York-Presbyterian Hospital settled tracking claims brought by the New York Attorney General’s office for $300,000. Class action lawsuits have also led to significant settlements. In August 2023, Wisconsin-based Froedtert Health settled a class action for $2 million. That same month, Advocate Aurora Health settled lawsuits brought by patients for $12.25 million.

These actions show that health care providers need to be conscious of how their tracking decisions will be interpreted by federal regulators, state law enforcement agencies, and plaintiff class action lawyers.

2024 Updated OCR Guidance

On March 18, 2024, OCR updated its guidance related to the use of tracking technologies. In bold type, that guidance makes clear that: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA rules.” However, this clarification makes an important point that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute individually identifying health information if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”

This is an important clarification in response to input from the American Health Law Association, that tracking technology can help health care providers identify the appropriate services to offer in a geographic area and ensure that appropriate health related information is being shared with underserved communities.

Authenticated webpages are those that require a log-in before a user can access them. OCR’s position is that these authenticated webpages generally contain PHI such as an individual’s IP address, medical record number, home or e-mail address, or dates of appointments. That means that covered entities must configure these webpages so that any tracking technology only shares PHI in accordance with the privacy rule.

Unauthenticated webpages are those that do not require a log-in to access. OCR acknowledges that many of these webpages do not contain PHI, to the extent they contain general information about the provider, visiting hours, employment opportunities or generally applicable policies and procedures. For those types of webpages, the use of tracking technology likely does not violate HIPAA. However, in some cases, unauthenticated webpages may have access to PHI. For instance, webpages that give direction to patients with specific diseases, injuries, or illness may contain PHI when they show a link between a person’s identifiable information and a specific disease, injury, or illness. Under those circumstances, HIPAA would apply. It can be difficult to make this distinction in real time. A student visiting a page on oncology in order to right a paper on the available services in the geographic region could be lawfully tracked without needing to comply with HIPAA. A patient seeking a second opinion regarding a cancer diagnosis is entitled to the protections of HIPAA when visiting that same webpage.

Finally, OCR addressed mobile apps. OCR’s position is that mobile apps offered by covered entities generally collect PHI, such as fingerprints, network location, geolocation, device ID, or advertising ID. Thus, OCR asserts that HIPAA rules are generally applicable to mobile apps. Thus, for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information must comply with HIPAA.

However, the HIPAA rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of covered entities. Like with all PHI, HIPAA only applies to covered entities. That means that HIPAA does not apply to companies that are not health plans, health care clearinghouses, or health care providers who electronically transmit health information. But, for these noncovered entities, there are other privacy regulations which may apply. For instance, the FTC Act and the FTC’s Health Breach Notification Rule may allow for enforcement where a noncovered entity discloses a user’s health information.

What Compliance Requires

Regulated entities are required to comply with the HIPAA Rules when using tracking technologies with access to PHI. Some examples of the HIPAA privacy, security, and breach notification requirements that regulated entities must meet when using tracking technologies with access to PHI include:

• • Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
  • Identifying the use of tracking technologies in their website or mobile app’s privacy policy, notice, or terms and conditions of use. Be aware—the privacy rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures.
  • Ensuring all tracking technology vendors have signed a Business Associate Agreement (BAA) and that there is an applicable permission prior to a disclosure of PHI. A tracking technology vendor is a business associate only if it meets the definition of a business associate, regardless of whether the required BAA is in place.
  • Addressing the use of tracking technologies in the covered entity’s Risk Analysis and Risk Management processes, as well as implementing other administrative, physical, and technical safeguards in accordance with the Security Rule.

Protecting Your Company from Enforcement Actions and Lawsuits

For now, every health care provider should be taking steps to comply with the OCR and FTC guidance. There are some simple steps to starting that work:

• • Assess what portions of your websites or mobile apps use tracking software.
  • Determine if the data collected complies with applicable data privacy laws.
  • Verify data is being gathered with the knowledge and signed consent of the user.
  • Review contracts with third-party vendors and/or business associates to ensure compliance.
  • If a breach is discovered, make the appropriate risk assessment, disclosures and notifications.