HHS Warnings Trigger Class Actions Against Medical Providers for Use of Online Tracking Technologies

After roughly a year of multiple warnings by the Department of Health and Human Services (HHS) concerning the usage of online tracking technologies and associated privacy and security risks, class action lawsuits have begun to be filed against medical providers alleging damages to patients.

Background

In December 2022, HHS issued guidance on the “Use of Online Tracking Technologies By HIPAA Covered Entities and Business Associates.” The concern addressed by HHS was that website and mobile app tracking technologies, such as cookies and pixels, can collect PHI governed by HIPAA.

The disclosure of PHI to tracking technology vendors could constitute an improper disclosure of PHI in violation of HIPAA’s Privacy Rule. For example, if a person browses a hospital’s website looking for a provider in a medical specialty, online tracking technologies obtain information about that person or their device. The information obtained by the cookie or pixel is then shared with cookie and pixel vendors such as Google and Meta/Facebook. This sharing of information with Google or Meta/Facebook can be an unauthorized disclosure of PHI.

On July 20, 2023, HHS again warned hospital systems and telehealth providers about privacy and security risks from online tracking technologies. More specifically, HHS warned about the use of Google Analytics and the Meta/Facebook pixel.

Class Actions

On the heels of these warnings, plaintiffs’ attorneys have started filing class action lawsuits against medical providers alleging damages to patients based upon the use of these tracking technologies.  It should come as no surprise that these lawsuits specifically allege the improper disclosure of PHI through the use of Google Analytics and the Meta/Facebook pixel.

These class actions also seek to capitalize on FTC enforcement actions against companies like GoodRx, BetterHelp, and Easy Healthcare for the improper disclosure of PHI through the use of tracking technologies. These entities paid $7.8 Million, $1.5 Million, and $100,000 respectively to settle FTC complaints against them.

Since HIPPA and the FTC Act do not provide a private right of action, the class actions allege various other legal theories to support their claims. Such theories include common law negligence, invasion of privacy, and unjust enrichment (profiting from sharing PHI with Google, Meta/Facebook, or other tracking technology vendors), among others.

Looking Ahead

Any medical provider that has an online presence is likely to be using Google Analytics cookies, the Meta/Facebook pixel, and/or other tracking technologies. If a medical provider uses a marketing vendor to support its website or mobile app, the medical provider may not even know what tracking technologies are being used or what information might be shared through these technologies.

To avoid class actions, and to better defend a class action should one be filed, we recommend that medical providers evaluate the tracking technologies in use and how they might be sharing information with Google, Meta/Facebook, or other vendors.

Let our Data Privacy & Cybersecurity team know if we can help you evaluate your tracking technologies and proactively defend yourself against these class action lawsuits.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.