Dozens of class-action lawsuits are pending against healthcare providers alleging their websites shared patient information with social media sites like Facebook and Instagram, and more are being filed every day.
To address these risks, providers are again being urged to increase their cybersecurity practices to avoid violating the Health Insurance Portability and Accountability Act (HIPAA), a federal law that protects personal health information held by medical and relevant state privacy laws.
Collectively, the lawsuits allege that the confidential medical information of millions of Americans has been shared unlawfully. Research has shown that the information transferred to these social media sites is potentially quite substantial.
For example, in a state that bans abortions, a Meta-Pixel on an abortion clinic’s website might report the patient’s name and contact information, appointment time, and doctorate to Meta, all of which which, if analyzed, could allow for the conclusion that the subject was contemplating a procedure to terminate a pregnancy.
Similar problems would exist for any specialized service using these website engagement measurement technologies. Diseases such as HIV or cancer, for example, could be identified by the special purpose of the clinic or service line, thus revealing the nature of a person’s disease or condition for deciphering.
One of the latest lawsuits was filed in January against two of Louisiana’s largest hospital networks. LCMC Health in New Orleans and Willis-Knighton Health in northwest Louisiana were sued over their use of the Meta Pixel website code, which potentially shared hundreds of thousands of patients’ medical data with Facebook and Instagram.
Accidents seem to be on the increase. In late March, two startup companies providing alcohol recovery services notified users that their information may have been leaked to social media sites. Potential risk information included dating data, condition assessments, and surveys.
According to published reports, information disclosures by the Monument and Tempest companies may have impacted as many as 100,000 customers with data going back five years.
Research indicates that healthcare use of web trackers has become nearly universal. A recent study by academic institutions found that 99% of hospitals in 2021 were using tracking technology. One of the study’s authors, as quoted in an article in STAT News, noted: The scale and scope of this continues to shock me even as I work on this research.
While healthcare professionals can use website tracking technology to improve the patient experience, if pixel codes and cookies share data with third parties for marketing purposes, it would be a violation of patient privacy laws.
The lawsuit in Louisiana alleges that some plaintiffs received online announcements related to their medical conditions shortly after providing medical conditions, prescriptions and other private information to health care provider websites. The lawsuits concern alleged violations of state and federal privacy laws because only the US government can sue under HIPAA.
However, many states have laws that protect the same information as HIPAA and provide a right of private action against the health care provider or its business associates. Therefore, in many jurisdictions, where lawyers are proactively testing websites for this type of issue, the likelihood of having to defend the use of these tracking technologies is much greater than it would seem.
Possible defenses against lawsuits, depending on the circumstances, could include:
- Users often sign consent forms for information sharing.
- Information such as IP addresses do not fall under the definition of private health information.
- Federal policies incentivize Medicare and Medicaid participants to offer patients online access to registries. However, this argument is weakened if the information being transferred includes more than just an IP address.
In December, the US Department of Health and Human Services issued a warning that commonly used website technologies, such as cookies and pixels, could lead to the impermissible disclosure of protected health information. The warning was unequivocal, stating in part: Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology providers or any other violation of HIPAA rules. For example, disclosure of PHI to tracking technology vendors for marketing purposes, without individual HIPAA compliant authorizations, would constitute an impermissible disclosure.
In light of the lawsuits and potential regulatory action, healthcare professionals should immediately review their websites and other applications for tracking technology, as well as consent forms and agreements with third parties, to ensure compliance with regulations and standards. privacy regulations.
This should be immediately incorporated into the annual HIPAA assessment that every regulated entity must perform.
Basics of tracking technology
In general, web tracking technologies are not new and have been a major reason for the rapid financial success of platforms like Google and Facebook. The technology consists of snippets of computer code inserted into a website or app that capture information about visitors and their online interactions. It’s because the code is so small that it’s called a pixel, as a sort of nod to the name of an individual display element on a computer monitor.
For most institutions, including healthcare institutions, the information collected by trackers is designed to help improve the user experience. But despite the potential good, they may not be configured properly, and the additional material collected could put institutions at risk. HIPAA places an affirmative obligation on healthcare entities to protect PHI from misdisclosure to individuals and organizations who shouldn’t have it.
As a result, anyone collecting PHI must determine how to manage those risks. Some, like Monument and Tempest, have responded by stopping the use of web tracking tokens altogether.
Others have worked to ensure that these beacons are carefully configured to only transmit website stream information and not potentially sensitive information. Clearly all of this has risks both due to the potential for beacon misconfiguration and due to the growing capabilities of technologies to create seemingly impossible associations between seemingly unrelated information through the use of machine learning or so-called artificial intelligence.
Even if data is essentially impossible to associate with a person today, that doesn’t mean it won’t be tomorrow, and it’s unclear how long this data will be retained.
Legally, not using the beacon is the safest course of action. For smaller practices without large IT and marketing budgets, it may be the only course. But it also means giving up some of the benefits to build a more efficient business and better patient experience.
Whether an institution continues to use trackers or not, we are clearly at an inflection point as general awareness of privacy concerns continues to grow. It means vendors involved in collecting PHI need to increase their vigilance about compliance risks.
Your compliance program must include, among many other things, proper risk analysis, training and education. To further reduce risk, consider engaging third-party auditors to scan your system for weaknesses in policies and controls.
At the heart of your review is the classic risk-benefit analysis. Your team needs to consider whether the benefits of using website tracking for better online experiences outweigh the risks of falling short in the area of compliance with HIPAA and other privacy regulations.
This vulnerability is especially sensitive because it’s the kind that can be somewhere between IT and marketing. The IT group doesn’t really handle trackers and the implications of tracking technology, while the marketing group may not be trained to consider the potential loss of sensitive information that occurs with the use of this technology as they are more focused on how the website used is displayed.
These potential gaps illustrate why training is especially vital. Personnel should be educated on the nature of personal health information and the technologies used at all levels of the organization. This training should extend not only to patient-facing personnel, but also to the marketing teams involved in creating and maintaining the websites.
We have entered a phase where individuals and organizations are thinking more deeply about the collection and use of data. Healthcare institutions and indeed all organizations need to aggressively assess and act on risks.
Alan Winchestera member of Harris Beach, is a cybersecurity and data privacy attorney.
#Health #Data #HIPAA #Class #Action #Lawsuits #Mount #Healthcare #Professionals #AdvantagesPRO