After dozens of class-action lawsuits filed against health care providers across the country alleging their websites shared patient information with social media sites such as Facebook and Instagram, providers are again urged to increase cyber security to avoid violating HIPAA and other patient privacy laws.
Collectively, the lawsuits allege the confidential medical information of millions of Americans has been shared illegally. Research has shown the information transferred back to these social media sites is potentially quite substantive. For instance, in a state that bans abortion, a patient’s “Meta-Pixel” could show the website of an abortion clinic, the time of the appointment and the doctor — allowing anyone to look at that information to potentially conclude the subject was about to undergo a procedure to terminate a pregnancy.
Similar issues would exist for any specialty service using these website engagement measuring technologies. A service such as oncology, or disease such as HIV, would be identifiable by the special purpose of the clinic or line of service, enabling the nature of a person’s illness or condition to be deciphered.
One of the latest lawsuits was filed in January against two of the biggest hospital networks in Louisiana. LCMC Health in New Orleans and Willis-Knighton Health in northwest Louisiana are being sued for use of the “Meta Pixel” website code, which potentially shared medical data of hundreds of thousands of patients with Facebook and Instagram.
While health care providers can use website tracking technology to improve the patient experience, if the pixel codes and cookies share data with third parties for marketing purposes, it could be violation of patient privacy laws. The Louisiana lawsuit alleges some plaintiffs received online ads related to their medical conditions shortly after supplying medical conditions, prescriptions and other private information to the health care providers’ websites.
The lawsuits are alleging violations of state and federal privacy laws because only the U.S. government can sue under the Health Insurance Portability and Accountability Act (HIPAA), a federal law protecting the personal health information held by medical providers. However, many states have laws which protect the same information as HIPAA and do provide a private right of action against the health care provider or their business associates. Thus, in many jurisdictions, where attorneys are proactively testing websites for this sort of issue, the likelihood of having to defend the use of these tracking technologies is much greater than it would seem.
Possible defenses against the lawsuits are that users often sign consent forms for sharing information; that information such as IP addresses fall outside the definition of private health care information; and that federal policies incentivize Medicare and Medicaid participants to offer patients online access to records. This argument is weakened if the information being transferred includes more than just an IP address.
In December, the U.S. Department of Health and Human Services issued a warning that commonly used website technologies, such as cookies and pixels, could result in the impermissible disclosure of protected health information.
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules,” the warning stated. Further, “a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.”
Harris Beach Can Help Health Care Providers with HIPAA Compliance
In light of the lawsuits and potential regulatory action, health care providers should immediately review their websites and other applications for tracking technology, as well as consent forms and agreements with third parties, to ensure compliance with privacy rules and regulations. This should immediately be incorporated into the annual HIPAA assessment each regulated entity must perform.
Harris Beach offers a dynamic combination of legal and technical support to protect digital assets and business interests, as well as a rapid response team in the event of a breach. We provide a full range of data privacy and cybersecurity services – from performing annual HIPAA assessments, compliance counseling and legal risk assessments to defense in litigation and regulatory investigations, as well as advisement on following the National Institute of Standards and Technology protocols.
Our cybersecurity team of attorneys, information security and communications management professionals leverages its experience with highly regulated industries to provide the strategic counsel and guidance organizations need to manage the potentially devastating risks associated with the theft or compromise of intellectual property or the personal information of customers or employees.
Harris Beach also offers technical support, including compliance tools that support risk management. Caetra.io, a wholly-owned subsidiary of Harris Beach, offers a first-of-its-kind solution: software that integrates the law. CyMetric is a cloud-based software, which streamlines the process of building, deploying, updating and assessing cyber and data privacy programs. Not only does it incorporate industry-standard security frameworks to ensure your policies meet or exceed regulatory requirements, it distills cybersecurity regulations into detailed controls to deliver policies that fit your risk tolerance and compliance requirements. This reduces dependency on legal counsel to provide regulatory mapping and cybersecurity compliance policies.
For more information on how your hospital or health care system can ensure your website and other applications are compliant with HIPAA regulations, contact New York cybersecurity attorney Alan M. Winchester at awinchester@harrisbeach.com / (212) 313-5403, or New York health care attorney Roy W. Breitenbach at rbreitenbach@harrisbeach.com / (516) 880-8378.
This alert is not a substitute for advice of counsel on specific legal issues.
Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, Long Island, New York City, Rochester, Saratoga Springs, Syracuse and White Plains, as well as Washington D.C., New Haven, Connecticut and Newark, New Jersey.