Based on a report from law agency BakerHostetler, the healthcare industry’s usage of third-party tracking codes and other web analytics applications has contributed to further legal threats. 28% of about 1,150 incidents in 2023 involved healthcare data breaches. In addition, more than 200 lawsuits were filed against healthcare providers for using third-party web tracking tools, 75% of the lawsuits were just filed in 2023.
The use of tracking technology in healthcare became well-known in June 2022, when journalists found that one-third of Newsweek’s top 100 American hospitals had installed the Meta Pixel on their websites. The pixel was purportedly transmitting a packet of information to Facebook every time a user performed an activity such as booking an appointment, which brought up patient privacy issues.
Now, almost two years following this finding, litigation is still being filed, with the majority of actions still at the preliminary pleadings stage. Some cases are given class certification, while others are not. A few others have negotiations. There is a scheduled trial this summer for the first Healthcare Pixel Action trial. Its results will probably affect defense tactics in other class actions versus healthcare entities.
At the same time, the American Hospital Association (AHA) is continuing with its lawsuit versus the HHS Office for Civil Rights (OCR) concerning its bulletin in December 2022 about using tracking technology. The AHA asserts that the bulletin goes beyond the government’s statutory and constitutional power, does not meet the demands of agency rulemaking, and negatively affects the very individuals it claims to protect.
The lawsuit mainly covers the issue with OCR’s position that a device’s IP address used to access a HIPAA-covered entity’s website is considered as protected health information (PHI). In spite of negative response, OCR published a new bulletin in March 2024 that reiterated that position. Many companies have made the hard choice to take away all third-party technologies from their websites while they find options for making their websites operational and useful without sending IP addresses to third parties. This task is not easy since IP addresses are required when navigating the web.
Aside from giving information about third-party tracking tech lawsuits involving healthcare providers, BakerHostetler monitored OCR’s enforcement actions every year. OCR resolved four right-of-access lawsuits in 2023, a big drop from the 16 cases in 2022.
OCR likewise issued four enforcement actions associated with hacking. There were only two in 2022. OCR had 14 resolution agreements in 2023, less than the 21 in 2022. This could indicate a difference in resource accessibility, or that the office is concentrating on other enforcement concerns.
In summary, BakerHostetler’s information indicates that in 2023, both litigators and HIPAA regulators prioritized healthcare data privacy and security. This focus will likely be the same for 2024.