This blog is the 10th in a series about interacting with government regulators and is intended to help our clients understand and manage contact and outreach from government regulators, law enforcement, or both.
The Setup
Since 2022, government investigations of data privacy breaches have increased and remain a government priority. In June 2022, The Markup, an online not-for-profit newsroom, issued a report detailing how major national hospitals were disclosing patients’ protected health information (PHI) through their use of online tracking technology provided by Meta, the parent company of Facebook, and thereby potentially violating the Health Insurance Portability and Accountability Act (HIPPA) and other federal statutes.1 The article caused a stir in privacy circles, leading to government investigations (which have only grown in number since its publication), lawsuits, and more recently settlements. Indeed, in December 2023, the New York Presbyterian Hospital System (NYPres) settled an investigation brought by the New York State Attorney General’s Office accusing NYPres of violating federal law through its improper usage of website tracking technology. This case and similar ones portent continuing government focus on data privacy and suggest an immediate need for providers to review their privacy practices, particularly those related to tracking technology.
Discussion
Tracking technology is not new and has long existed to provide businesses with the means to learn how customers interact with their websites and to connect potential customers with products that reflect their interests. Both Google and Meta provide tools to track clicks and other user interactions. In exchange, Google, Meta, and other platforms collect and aggregate the data of their subscribers and for a fee provide it to vendors to be used to identify potential customers. Various computer technologies exist to facilitate tracking, including cookies, pixels, heat maps, and sessions replays. Each, through different methods, records a user’s interaction with a website, including what parts of a website are accessed by the user and what information is inputted by the user.
Concerns arise, however, when the information being collected, even if anonymized, is considered PHI under HIPPA and can be collated to create individualized customer profiles and those profiles are (or can be) used to generate targeted ads. Think of a person who, using a personal computer, makes an online appointment with their health care system to consult with an expert on obesity and soon is inundated with email offers from weight loss programs or suppliers of weight loss drugs. Entities regulated by HIPPA are not permitted to use tracking technologies that result in the disclosure of PHI. PHI includes an individual’s IP address, the unique numeric identifier associated with a particular computer device or computer network.
The government’s response to data privacy breaches since 2022 has been vigorous. The Federal Trade Commission (FTC) has brought multiple actions against health systems for misusing tracking technologies and reached settlements with some. HHS’s Office of Civil Rights, for its part, in summer 2023 issued a letter to approximately 130 health systems across the nation apprising them of the issue. And, as noted, individual states including New York State through the NYS Attorney General’s Office have opened investigations against providers for misusing tracking technology.
The NYS AG’s investigation of NYPres is illustrative of what’s occurring nationwide and one of several brought by NYS AG over the past year.2 Between June 2016 and June 2022, the NYS AG found that NYPres had used third-party tools to track visitors to its website. These tools used snippets of code that sent information back to third parties whenever a webpage loaded or a user took a pre-defined action. These third-party companies received a variety of information from NYPres, including, in most cases, the user’s IP address and the URL of the webpage that had been loaded and, in some cases, information about the user’s health. Several third parties also received the unique identifiers that had been stored on users’ devices, allowing the third parties to recognize users they had previously interacted with. The aforementioned came to light in June 2022, and NYPres thereafter conducted a forensic audit and found that the data breach impacted 54,000 people. The NYS AG then commenced an investigation that culminated in a settlement, announced on December 27, 2023, whereby NYPres agreed to pay $300,000, adopt policies and procedures regarding the use of third-party tracking tools, and to conduct regular audits of its use of third-party tools.3
The NYS AG’s investigation is not an outlier, and the heightened level of scrutiny it reflects has continued with no immediate end in sight. In January 2024, a North Carolina health system paid $6.6 million to settle a lawsuit involving its use of tracking tools on its websites and patient portals.4 In April 2024, the FTC filed a lawsuit against Monument, a substance use disorder treatment company, alleging Monument had, while promising 100 percent patient confidentiality, revealed health information to third parties, including Meta and Google, without users’ consent.
The Takeaway
While the government’s response to The Markup article and their own efforts subsequent to its publication have been largely focused on major health care systems, tracking technology works on any website. The underlying concerns with its use apply to any health care provider with a website that uses tracking technology to enhance user experience, improve how it delivers health care services, or both. At this juncture, given the volume and robustness of the government’s response to data privacy breaches, the government is not likely to accept a provider’s explanation that they did not understand or appreciate the privacy implications of these tools. As such, providers are well advised to audit their use of third-party tools, including tracking tools, and to ensure that those tools are not inadvertently violating HIPPA.
In addition to its robust health care practice, Barclay Damon’s Data Security & Technology Practice Area attorneys are experienced in handling a host of data privacy and data security issues and are available to assist you.
If you have any questions regarding the content of this blog, please contact Chris Shaw, partner, at cshaw@barclaydamon.com, or another member of the firm’s Health Care Controversies or Health & Human Services Providers Teams or White Collar & Government Investigations Practice Area.
1Staffers at The Markup tested the websites of the top 100 hospitals in America by booking online medical appointments. The Markup found and reported information supplied to make these appointments was not being protected and was being made accessible to Meta. The Markup was unable to draw any conclusions about what, if anything, Meta, did with the information; however, that was beside the point. Private, confidential health information, information protected by federal law, was being disseminated by hospital systems to outside parties who, with limited exceptions, are not legally entitled to receive it.
2See NYS OAG press release dated December 27, 2023.
3Id.
4That settlement is pending court approval scheduled for early June.