My health, my data: HIPAA class action lawsuits mount against health care providers

Dozens of class-action lawsuits are pending against health care providers alleging their websites shared patient information with social media sites such as Facebook and Instagram, and more are being filed every day.

To address these risks, providers are again urged to increase their cyber security practices to avoid violating the Health Insurance Portability and Accountability Act (HIPAA), a federal law protecting the personal health information held by medical providers, and related state privacy laws.

Collectively, the lawsuits allege the confidential medical information of millions of Americans has been shared illegally. Research has shown the information transferred back to these social media sites is potentially quite substantive.

For instance, in a state that bans abortion, a “Meta-Pixel” on the website of an abortion clinic could report back to Meta the patient’s name and contact information, the time of the appointment and the doctor—all information that if analyzed, could allow one to conclude that the subject was contemplating a procedure to terminate a pregnancy.

Similar issues would exist for any specialty service using these website engagement measuring technologies. Diseases such as HIV or cancer, for instance, could be identifiable by the special purpose of the clinic or line of service, thereby disclosing the nature of a person’s illness or condition to be deciphered.

Related: Mental health startup Cerebral admits sharing health data with Facebook, Google, TikTok

One of the latest lawsuits was filed in January against two of the biggest hospital networks in Louisiana. LCMC Health in New Orleans and Willis-Knighton Health in northwest Louisiana are being sued for use of the “Meta Pixel” website code, which potentially shared medical data of hundreds of thousands of patients with Facebook and Instagram.

The incidents seem to be mounting. At the end of March, two startup companies that provide alcohol recovery services notified users that their information may have been disclosed to social media sites. The potential information at risk included data about appointments, condition assessments and surveys.

According to published reports, the disclosures of information from the companies, Monument and Tempest, could have impacted as many as 100,000 customers with data stretching back five years.

Research indicates that health care’s use of web trackers has become almost universal. A recent study by academic institutions found that 99% of hospitals in 2021 used tracking technology. One of the authors of the study, as quoted in an article in STAT News, noted: “The scale and scope of this continues to shock me even as I work on this research.”

While health care providers can use website tracking technology to improve the patient experience, if the pixel codes and cookies share data with third parties for marketing purposes, it would be a violation of patient privacy laws.

The Louisiana lawsuit alleges some plaintiffs received online ads related to their medical conditions shortly after supplying medical conditions, prescriptions and other private information to the health care providers’ websites. The lawsuits are alleging violations of state and federal privacy laws because only the U.S. government can sue under HIPAA.

However, many states have laws that protect the same information as HIPAA and do provide a private right of action against the health care provider or their business associates. Thus, in many jurisdictions, where attorneys are proactively testing websites for this sort of issue, the likelihood of having to defend the use of these tracking technologies is much greater than it would seem.

Possible defenses against the lawsuits, depending on the circumstances, could include:

• Users often sign consent forms for sharing information.
• Information such as IP addresses falls outside the definition of private health care information.
• Federal policies incentivize Medicare and Medicaid participants to offer patients online access to records. However, this argument is weakened if the information being transferred includes more than just an IP address.

In December, the U.S. Department of Health and Human Services issued a warning that commonly used website technologies, such as cookies and pixels, could result in the impermissible disclosure of protected health information. The warning was unequivocal, stating in part: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

In light of the lawsuits and potential regulatory action, health care providers should immediately review their websites and other applications for tracking technology, as well as consent forms and agreements with third parties, to ensure compliance with privacy rules and regulations.

This should immediately be incorporated into the annual HIPAA assessment each regulated entity must perform.

Basics of tracking technology

In general, web-tracking technologies are not new and have been a principal reason for the rapid financial success of platforms such as Google and Facebook. The technology consists of snippets of computer code placed on a website or app that captures information about visitors and their online interactions. It is because the code is so small that it’s called a “pixel,” as a sort of head nod to the name of a single display element on a computer monitor.

For most institutions, including those in health care, information collected by trackers is designed to help improve the user experience. But despite the potential good, they may not be configured correctly and the additional collected material could expose institutions to risk. HIPAA puts the affirmative obligation on health care entities to protect PHI from being wrongly disclosed to individuals and organizations that are not supposed to have it.

As a result, anyone collecting protected health information must determine ways of managing those risks. Some, such as Monument and Tempest, have responded by discontinuing their use of web tracking tokens altogether.

Others have worked to ensure that these beacons are carefully configured to transmit information only about the flow of the website and not any potentially sensitive information. Clearly all of this has some risk both because of the potential of misconfiguring the beacon and because of the increasing capabilities of technologies to make seemingly impossible associations between seemingly unrelated pieces of information with the use of machine learning or so-called artificial intelligence.

Even if the data is essentially impossible to associate with a person today, that does not mean it won’t be tomorrow, and it is unclear how long this data will be retained.

Legally, not using the beacon is the safest course of action. For smaller practices, without large IT and marketing budgets, it may be the only course. But it also means giving up some of the advantages to building a more efficient business and better patient experience.

Whether an institution continues to use trackers or not, we’re clearly at an inflection point as general awareness of privacy concerns continues to grow. It means that providers involved in collecting PHI must elevate their vigilance of the compliance risks.

Your compliance program needs to include, among many other things, proper risk analyses, training and education. To further lower your risk, consider engaging third-party reviewers to explore your system for weaknesses in policies and controls.

At the heart of your review is the classic risk-benefit analysis. Your team needs to consider if the benefits of utilizing website tracking for purposes of better online experiences outweighs the risks of falling short in the area of compliance to HIPAA and other privacy regulations.

This vulnerability is particularly tricky because it is of the type that can land in a space between IT and marketing. The IT group really does not manage trackers and the implications of tracking technology, while the marketing group may not be trained to consider the potential loss of sensitive information occurring with the use of this technology as they are more focused on how the web site is being used.

These potential gaps illustrate why training is particularly vital. Your staff needs to be educated on the nature of personal health information and the technologies used at all levels of the organization. This training should extend not only to patient-facing staff, but to marketing teams involved in creating and updating websites.

We have entered a phase where individuals and organizations are thinking more deeply about the collection and use of data. Health care institutions—and really, all organizations—need to evaluate and act aggressively on the risks.

Alan Winchester, a member with Harris Beach, is a cybersecurity and data privacy attorney.