Bloomberg Law
Nov. 8, 2023, 9:29 AM UTC

Hospitals Accuse HHS of Double Standard Amid Pixel Privacy Row

Skye Witley
Skye Witley
Reporter

After nearly a year navigating the Biden administration’s efforts to push heath-care providers away from tracking technology that can associate website visitors with specific medical conditions, hospital associations alleged government agencies are still using those same tools in violation of the guidance.

A quartet of hospital associations are challenging a December 2022 US Health and Human Services Department’s bulletin, which stated that information collected by tools used for web browsing analytics and advertising—including Alphabet Inc. and Meta Platforms Inc.'s—could violate the 1996 Health Insurance Portability and Accountability Act. The complaint, filed on Nov. 2 in a Texas federal court, argues that the bulletin is invalid since it amounted to a sudden policy change without public input, all while the government itself continues to rely on those very same products.

The plaintiffs are seeking to block the agency from enforcing elements of its policy, and clarify which online data is subject to HIPAA privacy protections.

The challenge comes as HHS’ Office for Civil Rights investigates whether providers using online tracking are complying with HIPAA, and as hundreds of potential class actions alleging health-care providers are violating patient privacy proceed through court. How health-care providers collect and share people’s data remains under heavy scrutiny, and not just from litigators or HHS. The Federal Trade Commission has pursued three enforcement actions this year against telehealth providers, fining them a total of $9.4 million for improperly sharing health data with third parties, including Meta and Alphabet’s Google.

“We shouldn’t have to wait for there to be a fine for there to be an effort to stop this unlawful threat of enforcement,” said Chad Golder, deputy general counsel for the American Hospital Association, one of the plaintiffs.

Golder said the December 2022 bulletin published by the OCR dramatically changed covered entities’ health privacy obligations. If the agency plans to enforce its new guidance with the weight of law, it should have first proposed the policy shift in the rulemaking process, he said.

The bulletin warned that associating an individual’s IP address with webpages they visited in search of information about a specific symptom or health condition could qualify as protected health information under the law. Using a third-party tracking tool like Google Analytics or Meta Pixel to collect that information could violate that individual’s privacy rights, the bulletin said.

The bulletin was seemingly issued “without even consulting the federal government’s own website operators, because agencies that are covered entities under the HIPAA themselves use the same third-party technologies,” including Meta and Google’s tracking tools, according to the complaint.

Guidance Fallout

What followed the bulletin’s publication only worsened health-care providers’ fears of getting slapped with regulatory action.

The OCR and FTC in July sent letters to 129 hospitals and care providers alerting them to “serious privacy and security risks” related to their use of online trackers. A press release announcing the outreach confirmed that OCR was actively investigating these entities—ranging from Scripps Health System to Hims & Hers Health Inc.—for their compliance with HIPAA following the bulletin’s guidance. The letters urged recipients to reassess their use of these tracking tools.

The agencies published the letters in September, which the hospital associations say painted a “public bullseye” on the back of recipients with no explanation.

OCR and HHS didn’t return requests for comment.

At least nine of those 129 entities, including Duke University Health System, are defending lawsuits alleging HIPAA violations by their tracker use, according to a Bloomberg Law court docket analysis. The cases remain active. Three have been remanded to state courts.

The letters were released after both agencies received Freedom of Information Act requests seeking the identities of those who received the letters, said Ryan Mehm, an FTC attorney working in the agency’s privacy and identity protection division.

But the agencies may not have anticipated how much plaintiffs attorneys would rely on a combination of the letters and bulletin to inform class action litigation, said Iliana Peters, a former HIPAA enforcer with the HHS and current health privacy shareholder at Polsinelli PC.

“I have clients that have had upwards of six demand letters for litigation purposes,” Peters said. “That’s a huge burden on these entities and on their internal teams and their external teams, like outside counsel,” Peters said.

Peters said she’s watching the lawsuit challenging OCR’s guidance to see whether it informs how state courts—where many of the class actions have been filed—discern whether any health privacy violations occur from tracking on a public-facing website.

One complication with the office’s position that tracking IP addresses violates health privacy is that providers don’t know the intent of a webpage visitor, so there’s no guarantee an individual is viewing any information related to their own health, said Adam Greene, a former HHS HIPAA privacy adviser, now a partner at Davis Wright Tremaine LLP.

That introduces a fundamental question, Green said: can HHS assume that most people visiting a webpage with specific medical information are doing so for personal reasons?

“It’s a questionable interpretation to play the odds in that fashion and say, ‘Well, we’re gonna go ahead and assume that,’” he said.

Compliance Complications

The lawsuit contends that many of the IP address-dependent tools improve the utility of health-care websites for visitors by enabling features including educational videos and language translation.

Curtailing some of those tools could conflict with accessibility requirements under the Americans With Disabilities Act, further complicating any efforts to comply with the OCR bulletin, said Craig Kwiatkowski, the chief information officer at Cedars-Sinai Medical Center, a member of the AHA.

“Most health-care provider organizations who use these tools need these tools to serve the community to make decisions and to do right by patients and I think all of us are struggling with the interpretation and feeling like we’re being forced to make difficult choices,” Kwiatkowski said.

Cedars-Sinai started re-examining its tools and practices with a “fresh perspective” following the bulletin’s publication, Kwiatkowski said. The health-care provider subsequently received a July warning letter from regulators, and is defending at least one proposed class action alleging its use of online trackers violated health privacy law. Kwiatkowski declined to comment on the substance of the government’s letter or the subsequent lawsuit.

Some health-care providers opted to eliminate third-party trackers altogether at “significant cost” in response to the bulletin, the lawsuit said. Others hired web-tracking vendors that agreed to meet HIPAA privacy standards, according to Ray Mina, the head of marketing at Freshpaint. The company specializes in HIPAA-compliant online tracking and filtering out potentially protected health information before it reaches third parties.

Two of the “most effective” tools for advertising, created by Google and Meta, also pose some of the greatest risks for entities seeking to comply with the bulletin, because neither company contractually affirms it will use health data it receives in accordance with the health privacy law, Mina said.

Meta and Google didn’t return requests for comment.

Meta warns users of its tracking tools not to share sensitive information including health data, and says its system filters out “potentially sensitive data” it receives. Google instructs users of its analytics tool not to share protected health information and “makes no representations that Google Analytics satisfies HIPAA requirements.”

The health privacy law requires health-care providers to sign business associate contracts with any third parties before sharing protected health information. These agreements prescribe how third parties can use or disclose data they receive.

“The thing that people don’t call out: These tools, they don’t need all the data they collect for them to work,” Mina said.

“As a health-care marketer, it’s not your responsibility to make Google and Facebook more powerful overall,” he added. “Your responsibility is to just send them the minimum data set they need to do the job of getting you more patients or measuring performance.”

The case is Am. Hospital Ass’n vs. Fontes Rainer, N.D. Tex., No. 4:23-cv-01110, complaint filed 11/2/23

To contact the reporter on this story: Skye Witley at switley@bloombergindustry.com

To contact the editors responsible for this story: Kartikay Mehrotra at kmehrotra@bloombergindustry.com; Adam M. Taylor at ataylor@bloombergindustry.com

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.