After dozens of class-action lawsuits filed against health care providers across the country alleging their websites shared patient information with social media sites such as Facebook and Instagram, providers are again urged to increase cyber security to avoid violating HIPAA and other patient privacy laws.
Collectively, the lawsuits allege the confidential medical information of millions of Americans has been shared illegally. Research has shown the information transferred back to these social media sites is potentially quite substantive. For instance, in a state that bans abortion, a patient’s “Meta-Pixel” could show the website of an abortion clinic, the time of the appointment and the doctor -- allowing anyone to look at that information to potentially conclude the subject was about to undergo a procedure to terminate a pregnancy.
Similar issues would exist for any specialty service using these website engagement measuring technologies. A service such as oncology, or disease such as HIV, would be identifiable by the special purpose of the clinic or line of service, enabling the nature of a person’s illness or condition to be deciphered.
One of the latest lawsuits was filed in January against two of the biggest hospital networks in Louisiana. LCMC Health in New Orleans and Willis-Knighton Health in northwest Louisiana are being sued for use of the “Meta Pixel” website code, which potentially shared medical data of hundreds of thousands of patients with Facebook and Instagram.
While health care providers can use website tracking technology to improve the patient experience, if the pixel codes and cookies share data with third parties for marketing purposes, it could be violation of patient privacy laws. The Louisiana lawsuit alleges some plaintiffs received online ads related to their medical conditions shortly after supplying medical conditions, prescriptions and other private information to the health care providers’ websites.
The lawsuits are alleging violations of state and federal privacy laws because only the U.S. government can sue under the Health Insurance Portability and Accountability Act (HIPAA), a federal law protecting the personal health information held by medical providers. However, many states have laws which protect the same information as HIPAA and do provide a private right of action against the health care provider or their business associates. Thus, in many jurisdictions, where attorneys are proactively testing websites for this sort of issue, the likelihood of having to defend the use of these tracking technologies is much greater than it would seem.
Possible defenses against the lawsuits are that users often sign consent forms for sharing information; that information such as IP addresses fall outside the definition of private health care information; and that federal policies incentivize Medicare and Medicaid participants to offer patients online access to records. This argument is weakened if the information being transferred includes more than just an IP address.
In December, the U.S. Department of Health and Human Services issued a warning that commonly used website technologies, such as cookies and pixels, could result in the impermissible disclosure of protected health information.
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules,” the warning stated. Further, “a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.”
