Recently, we hosted a webinar with Lynn Sessions and Paul Karlsgodt of BakerHostetler to discuss pixel tracking technology, the culprit behind the latest ad tech litigation and regulatory trend. Now, we’ll explore how regulated industries are responding to meet strict guidance from the government. For more on how non-regulated industries should handle ad-tracking technology, you can find our blog post here.
Want even more on pixel? Refill your coffee and watch the full webinar recording here.
Lynn has handled over 800 healthcare data breaches, including several of the largest breaches reported to date. She provides counsel to healthcare providers and other covered entities (as well as business associates) on breach analysis, breach response, crisis management with patients, media and employees, and regulatory notification obligations to the Office for Civil Rights (OCR).
Paul has served as lead defense counsel in class actions arising from many of the largest healthcare and payment card breaches in history. He currently serves as the leader of BakerHostetler’s Privacy and Digital Risk Class Action and Litigation team.
In a perfect world, pixel technology empowers organizations to better understand how users interact with their website, and in return, organizations strategically update the experience to fit their customer’s needs. Unfortunately, the reality is a little more complex. The precarious nature of data privacy, especially when third-parties like Meta and Google are involved, means that organizations need to be tactful when using ad-tracking technologies — especially regulated industries.
Based on the idealistic premise above, it’s understandable why many healthcare providers leapt at the idea of implementing ad-tracking technology to improve the user experience. But the first misstep was a lack of cohesion between departments. If the marketing team isn’t properly communicating with other teams, like legal, privacy, and IT, you are bound to run into serious regulatory issues.
Without a proper risk assessment or governance process, any industry that holds a significant amount of personal information, like hospitals, colleges, and financial institutions, puts their data at risk.
The pandemic wreaked havoc on modern healthcare, not only stretching hospitals and staff to their limits, but also forcing the entire industry to speed up a decades-long digitization process. Suddenly, it was commonplace for doctor appointments to take place from your living room.
“My healthcare clients told me that they needed to meet patients where they were going in the marketplace, and that was on their websites. They had to juggle implementing patient portals with the guidance coming down from Washington. Then, the government also says they can’t use certain technologies without business associate agreements in place,” says Lynn Sessions, a lawyer with extensive experience working with healthcare providers. “It’s been a challenging 7 or 8 months as they weed through what is going wrong and what is actually being shared with third parties.”
When it comes to ad-tracking technology, the healthcare sector was the first regulated industry to land under the microscope. Simply being a patient at a medical center is considered protected information, but allegations claim that Meta's information gathering goes much further. Pixels on private patient portals provide Meta with information like the names of their medications, descriptions of their allergic reactions, and appointment details.
Given the nature of these claims, it’s not surprising that the Office of Civil Rights responded swiftly and sternly.
On December 1, 2022, the OCR released guidance to regulated entities on the proper use of tracking technologies, advising they shouldn’t be used “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”
According to the OCR, identifying use of tracking technology in a website or app’s privacy policy is not enough. Healthcare entities must also have a business associate agreement (BAA) in place with the tracking technology vendor. In addition, entities must provide breach notification to affected individuals of an impermissible disclosure of PHI to a tracking technology vendor when there was no permission to disclose PHI and no BAA with the vendor. OCR stated there is a presumption of a breach unless the entity can demonstrate a low probability that the PHI has been compromised.
What came as a surprise — especially to those who have focused on data privacy for years — was that OCR guidance asserted that a user’s IP address constituted as Individually Identifiable Health Information (IIHI).
“From a technical perspective, IP addresses are not personally identifiable. If I’m working from my office, the BakerHostetler IP address is being shared, not mine. At home, my sons use the same internet that I do and have the same IP address,” explains Paul Karlsgodt, who specializes as defense counsel in class action lawsuits stemming from data breaches. “There can’t be communication from a browser to a server without an IP address. That’s how the internet works.”
These arguments will likely wind up in pending court cases, but it doesn’t negate the current reality set by the OCR: “A website user’s IP address or geographic location, or any unique identifying code, is individually identifiable health information (IIHI); and (2) all IIHI, including IP addresses and geographic locations, that a website visitor provides when using a CE’s website “generally is PHI [protected health information].”
For now, regulations clearly suggest that an IP address may connect an individual’s identity to the regulated entity (the healthcare provider). To remain in compliance with this guidance, healthcare entities should avoid having any sort of ad-tracking technology implemented that will send a user’s IP address to a third-party, like Meta.
In our last post, we discussed the delicate timing of a key article from The Markup. The exposé, which alleged pixel was a glaring data privacy red flag, coincided with Roe v. Wade being overturned. Reputable healthcare entities suddenly faced a wave of media backlash. It was (and is still not) a good time to be frivolous with data, especially personal health information.
“After the article came out, attorneys general started reaching out to hospitals. We worked with these healthcare entities and their privacy teams to uncover exactly what was being transmitted to third parties,” explains Lynn Sessions. “Some of these websites have hundreds of these tracking materials on them.”
A month later, two separate clients of BakerHostetler received data requests from the OCR. This was unusual, due to the fact that neither had reported a data breach. Simultaneously, hundreds of healthcare entities dug into the usage of tracking technologies on their websites. Community Health Network and Advocate Aurora Health notified over 4 million individuals (combined) of potential data breaches, all tracing back to pixel. This drew even more unwanted media attention in the direction of healthcare providers across the country.