My Health, My Data: HIPAA Class Action Lawsuits Mount Against Health Care Providers

Dozens of class action lawsuits are pending against health care providers whose websites share patient information with social media sites like Facebook and Instagram, with more being filed every day.

To address this risk, providers are again urged to improve their cybersecurity practices to avoid violations of the Health Insurance Portability and Accountability Act (HIPAA), the federal law governing personal health information stored by medical providers and other relevant state privacy laws.

In total, the lawsuit alleges that millions of Americans illegally shared sensitive medical information. Research has shown that the information provided to these social networking sites can be very useful.

For example, in states where abortion is prohibited, a "metapixel" on an abortion clinic's website may send the patient's name and address, appointment time, and doctor. When analyzed, any information a person provides may allow for the suggestion that the person is considering procedures to terminate a pregnancy.

A similar problem arises for any particular service that uses this technology to measure website engagement. For example, diseases such as HIV or cancer can be identified by a clinic or service line with a specific purpose, which indicates a person's disease or condition.

One of the most recent lawsuits was filed in January against two of Louisiana's largest hospital chains. LCMC Health in New Orleans and Willis-Kneaton Health in northwest Louisiana are accused of using the "Meta Pixel," a web code that has the potential to share hundreds of thousands of patient medical records on Facebook and Instagram.

The phenomenon seems to be on the rise. In late March, two start-ups that offer alcohol rehab services told users that their information could be leaked to social media. Potentially vulnerable information includes recruitment data, health assessments and surveys.

According to published reports, the release of data from Monument and Tempest could affect up to 100,000 customers and provide information over a five-year period.

Research shows that the use of web tracking in healthcare has become almost universal. Recent studies show that by 2021, 99% of hospitals will use tracking technology. One of the study authors quoted in the STAT News article said, "Even when I was working on this study, I was never surprised by the size and scope of this."

While healthcare providers may use website tracking technologies to improve patient experiences, sharing data with third parties for marketing purposes is a violation of patient privacy laws for pixel codes and cookies.

The Louisiana lawsuit alleges that some of the plaintiffs received online advertisements about their health conditions after they posted medical conditions, prescriptions and other personal information on a health care provider's website. The lawsuit alleges violations of state and federal privacy laws because only the US government can sue under HIPAA.

However, many states have laws that protect the same information as HIPAA and provide individual rights of action against your healthcare providers or business associates. In many jurisdictions where lawyers actively check websites for such problems, the likelihood of defending against the use of these tracking technologies is higher than you might think.

Depending on the circumstances, possible defenses to charges may include:

• Users often sign consent forms to share information.
• Information such as IP addresses are not included in the definition of personal health information.
• Federal policy encourages Medicare and Medicaid participants to access patient records online. However, this argument is weakened when the data to be transmitted extends beyond the IP address.

In December, the US Department of Health and Human Services issued a warning that website technologies such as cookies and pixels could expose unauthorized access to protected health information. The caveat is clear, among other things: "Regulated entities are not permitted to use tracking technology to track technology providers or otherwise comply with HIPAA regulations in a manner that would result in unauthorized disclosure of PHI." It is considered improper disclosure of technology providers for marketing purposes without an individual's HIPAA compliance certification.

In the face of lawsuits and potential regulatory action, healthcare providers should immediately review their websites and other tracking technology applications, as well as consent forms and agreements with third parties, to ensure compliance with antitrust laws and regulations.

This should be immediately considered in the annual HIPAA assessment that each regulated business must complete.

Overall, web tracking technology is not new and has been a major factor in the rapid financial success of platforms such as Google and Facebook. Such technologies consist of pieces of computer code placed on websites or applications that collect information about visitors and their online interactions. This is because the code is so small that the name for an individual display element on a computer monitor is called a "pixel".

In most settings, including healthcare, data controllers collect to improve the user experience. But even if they have a good capacity, they are not properly configured and the accumulated extra items can put the institutions at risk. HIPAA specifically requires healthcare organizations to protect against improper disclosure of PHI to persons and organizations they do not possess.

Therefore, anyone who collects protected health information must decide how to manage the risk. Some, like Monument and Tempest, have responded by phasing out web tracking tokens altogether.

Others have worked to ensure that these beacons are only used to send information about website traffic and are carefully configured to send sensitive information. Of course, all of this comes with some risks, both the possibility of setting up beacons and the ever-increasing ability of technology to automatically make connections between seemingly impossible pieces of data that have nothing to do with learning. . It's called artificial intelligence.

Although the information cannot be assigned to a person today, this does not mean that it will not be the same tomorrow, and it is not clear how long this information will be stored.

By law, using flashers is the safest course of action. For smaller practices without large IT and marketing budgets, this may be the only option. But it means giving up some of that profit to build a more efficient business and build a better patient experience.

Whether institutions continue to use tracking or not, we're at a point where the public's awareness of privacy issues is growing. This means operators involved in the collection of PHI need to be more aware of compliance risks.

Your compliance program should include proper risk analysis, education and training, among other things. To further reduce your risk, consider hiring a third-party auditor to examine your system's weaknesses related to policies and controls.

The heart of the evaluation is a classic risk-benefit analysis. Your team should consider whether the benefits of website monitoring for a better online experience outweigh the risks of not complying with HIPAA and other privacy regulations.

This vulnerability is particularly difficult because it can rest in the gap between IT and marketing. The IT team may not care about the impact of trackers and tracking technologies, but the marketing team may not be able to consider the potential loss of sensitive data when using these technologies, because they are more focused on how websites search. creation

This potential gap shows why training is so important. Your employees need to be aware of the nature of personal health information and the technologies used at all levels of the organization. This training should not only be for staff working with patients, but also for the marketing team involved in creating and updating the website.

We have entered a phase where people and organizations are thinking critically about data collection and use. Healthcare facilities, and all organizations, must assess risk and act proactively.

Alan Winchester of Harris Beach is a cyber security and privacy attorney.

HIPAA weighs on hospitals and dentists SmartBox Web Marketing