Our next guest on A Little Privacy, Please!® is Valerie Montague, a partner in Nixon Peabody’s healthcare practice. She is CIPP/US-certified and represents healthcare providers, digital health companies, life sciences companies, and vendors of healthcare providers on privacy issues, including HIPAA compliance.
Valerie has generously agreed to speak with us about online tracking technologies in the healthcare space, which can have serious HIPAA implications.
Let’s jump in.
What do tracking technologies do? Why is it controversial?
Pixels and other online technologies are embedded into websites or mobile apps. They are used to track a user's experience and interaction with the site or the app. As part of that, information is transmitted to these tracking technologies’ tech vendors, such as Meta, and they’re able to use that information to either provide services to the organization that has the website or provide what is called interest-based advertising to the impacted consumer.
If you go on your Facebook page and say, “Hey, it’s interesting that I’m seeing a Ticketmaster ad when I was searching for concert tickets earlier.” That’s an example of how information gleaned from these tracking technologies is used for interest-based advertising.
It’s an issue because the data captured is identifiable for these users. Different levels of identifiable data are used to identify a person and connect them with other aspects of their online lives to come up with these targeted ads.
Why are tracking pixels of concern for HIPAA-regulated organizations?
Healthcare organizations are handling a lot of sensitive information. Patients who go to their websites, who use their portals, who use their apps, are interacting with those organizations and providing them with a lot of data that they might not want out there in the public sphere. If these organizations are HIPAA-regulated, they need to comply with a whole scheme of regulations to protect information.
For example, take a hospital with an online portal. Suppose individuals are logging in to make appointments and disclosing information regarding their health. If that information moves to a third party, it needs to do so in a way compliant with HIPAA.
The concern for HIPAA-regulated entities is that the Metas of the world, these tracking technology vendors, often are not business associates to the hospitals or physician practices. They may not be permitted to receive the data as a hospital vendor. The healthcare organizations may not be securing the individual’s authorization to disclose health information to Meta or any other vendor for these purposes.
Depending on the facts, it may be a little bit grey as to whether this is a permissible use of that data, and if it’s not, healthcare organizations need to analyze whether there’s a potential HIPAA breach involved.
Are there litigation risks associated with using tracking technologies separate from the regulatory implications?
Absolutely, and we’re seeing litigation across the country more and more each day.
In 2022, we did see an $18 million settlement with a hospital in Massachusetts, so it’s a significant concern. It can be a major headache from a time perspective and a financial perspective for organizations inside and outside the healthcare space.
What should a company do if it is already using these tracking technologies or considering adding them to its website or app?
A company should first wrap its arms around how they’re using tracking technologies, who they’re working with, what information is being captured, and what information is going over the wall to the tracking technology vendor. If they are not yet implementing these technologies, those are the questions they should consider.
From a HIPAA perspective, analyze whether the tracking technology vendor is your business associate or whether it should be your business associate. If it’s not, perhaps you go the route where you seek authorization, giving you more flexibility, as the patients have told you it’s okay to use their data in the manner described. If they’re not your business associate, if you don’t have authorization, then scrutinize whether you have a potential HIPAA breach.
The Office for Civil Rights (OCR) has issued guidance that’s pretty authoritative on this subject. They take a broad view of what’s protected health information in these contexts. We’ve seen a number of large breaches reported, based on these tracking technologies, so far, to OCR, so it’s a topic on its radar, and it’s something OCR is investigating.