Podcast - Data Privacy and Tracking Technology Compliance
In this episode of "Counsel That Cares," data security and privacy attorney Paul Bond is joined by Antonio Rega, managing director at J.S. Held, to discuss the latest developments regarding lawsuits involving the use of metapixels on healthcare provider websites. They explore the implications of a recent U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) bulletin that expanded the definition of protected health information to include basic website usage data. Mr. Bond and Mr. Rega offer practical steps for healthcare organizations, such as conducting data inventories, reviewing privacy practices and establishing cross-functional working groups, to help mitigate emerging compliance and litigation risks in this evolving area of law.
Since this episode was recorded, the American Hospital Association (AHA) has filed a lawsuit to bar the enforcement of the OCR rule discussed in this podcast episode. Holland & Knight will be publishing more information about the AHA lawsuit soon.
Morgan Ribeiro: Welcome to Counsel That Cares. This is Morgan Ribeiro, the host of the podcast and a director in the firm's Healthcare Section. Today, we are going to look at a hot topic in healthcare and one that is receiving a lot of attention, particularly amongst providers of healthcare services. Metapixels are a powerful tool to help online vendors reach people who have shown an interest in a product or service. By identifying a user's Facebook or Instagram, this tracker can help target ads to people who have already shown an interest in a product. This is relatively harmless if you're looking at things like clothes or skin care, but in healthcare, this tracker can breach patient privacy if it's included on certain pages. In today's conversation, we are going to look at and talk about a number of recent lawsuits involving metapixels and what's happening in these cases, what it means for our listeners and much more. Joining me today are Paul Bond, a partner in Holland & Knight's Data, Security & Privacy practice, and Antonio Rega, managing director in J.S. Held's global investigations practice. Paul and Antonio, thank you for joining me today. Before we get started, I want to talk to, just maybe talk to each of you a little bit more and share with our listeners more about your practice and your areas of expertise. Paul, can you tell us more about your practice and the work that you do in the healthcare space?
Morgan Ribeiro: Thank you. Antonio?
Antonio Rega: I'm a managing director within J.S. Held's digital investigations and discovery practice. My focus is on data, privacy, governance and digital forensics. I have more than 20 years of experience supporting organizations and law firms on matters involving both proactive and reactive needs. That can be internal assessments, compliance matters or internal investigations, or for litigation involving analysis, expert reporting and testimony.
Morgan Ribeiro: Thank you. So to bring everyone up to speed on what is happening and what I mentioned in the introduction, on September 5, anonymous plaintiffs allege that at least 664 medical providers use pixel tracking technology on their websites and patient portals, which has allowed Meta to obtain patients' protected health information (PHI). In a consolidated lawsuit, the plaintiffs allege that Meta collected health information of people with Facebook accounts by installing pixels on the patient portals of their healthcare providers. The plaintiffs also say that the tech giant was able to profit from the information by using it to deliver targeted ads. Meta has tried to dismiss the claims in a motion stating that the plaintiffs didn't provide enough evidence to establish that the company's intent was to collect their information. Ultimately, this motion was denied by a judge in the U.S. District Court for the Northern District of California. The judge stated that the patients can pursue claims that Meta violated a federal wiretap law and a California privacy law. This is just the latest in a series of lawsuits that we're seeing pop up involving meta pixels and healthcare providers. Paul or Antonio, I'd love to hear from both of you on this, but anything notable that you'd like to share in terms of a summary of what's currently happening in this space?
Paul Bond: Alongside this case against Meta is a series of more than 200 actions in federal and state court that have been brought against healthcare providers of all sorts with respect to their use of online tracking technology. Most of the time, Meta isn't involved in those suits, but all of them favor the same types of causes of action and the same sort of claims. Generally speaking, their attempts to use wiretap acts under various state laws, most of which were brought about in the '60s and '70s to fight crime syndicates with respect to tapping phones. To take these into the digital age and to treat the fact that you went to a hospital's website, click to see their hours of operation, looked at the directions to the hospital or did anything with respect to a hospital website, to treat that as, essentially, an improper disclosure of information. Meta in this case was the direct target, but almost always they are the indirect target with respect to these lawsuits. The result in this case is pretty much parallel to what we've seen in the other cases. Now, there are 75 federal court actions that we're tracking with respect to these types of claims that have been going for the past two years. Of those 75, there have been a couple of settlements, a few partial decisions on the motions like the motion here. Almost all of the time the cases have survived. In none of those cases has a motion to dismiss been granted for a defendant such that the case was completely over. These are continuing cases all around the country and not just for Meta.
Antonio Rega: I think Paul covered that very well. The only thing that I would add is, you know, we're seeing a lot of concern about how organizations may have their opt outs, their privacy banners or disclosure set up. That's a really important part, at least from my involvement in these types of matters. My company's involvement is more in a sense of supporting Paul and his team and other attorneys in determining how an organization may be having their websites set up. That's going to be an important part of it. I think what's even more important right now in particular is how protected health information is being masked or anonymized or the lack thereof. We'll touch on this in a bit further down, but the specifics on how exactly it's being masked, or hashed is another way it's usually described. This is a pretty important part in light of these recent U.S. Department of Health and Human Services (HHS) notifications in late 2022.
Morgan Ribeiro: I want to take a pause here as we lead into another piece of our conversation, and that is, can you all define the difference between a pixel and a cookie? I think that's an important distinction to make.
Antonio Rega: I'm happy to chime in on that. Cookies are essentially small text files generally located on user devices that store information on certain browser activity and can be remembered when revisiting a website. Cookies do not follow users across devices, however, and are primarily used to enhance the user experience as well as for certain marketing purposes, whereas pixels or more specifically, tracking pixels, are bits of code placed on a website by the website owner or third party — Google and Meta are two examples — that tracks information about a user's interactions with the website primarily used for marketing purposes. These are less easily disabled and can track users across devices and websites.
Morgan Ribeiro: Very helpful. That really leads into the next question. So for years, patients and healthcare companies have been wrestling with privacy issues relating to cookies, pixels and other tracking technologies. The U.S. Department of Health and Human Services and the Office of Civil Rights (OCR), which enforces Health Insurance and Portability Accountability Act (HIPAA), has not substantially involved itself in this debate up until somewhat recently. In December of last year, without public comment, OCR came out with a bulletin that really will profoundly impact this conversation. Paul, can you tell us more about what was included in this bulletin?
Paul Bond: This OCR bulletin that came out has guidance on third party tracking, and essentially they took a very broad view on the types of pages or services that implicate HIPAA requirements. For context, it's not unusual for there to be parts to the digital domains of a healthcare provider. The first part of it is the public-facing website that anyone can go to, anyone can navigate around and there's no requirement for you to authenticate yourself to log into anything. The general public can go there to find a doctor, they can go there during COVID to learn more about recent research or tips, employees can go there to find potential job opportunities. When you want to access patient records, there's a portal from that public section to your electronic medical records. There's something that you have to log into, and it's provided by either the hospital or one of a number of third party service providers that takes you into the patient portal that you set up. I think most of us expected that when it came to your interactions with your electronic medical records, your activity within that user-authenticated patient portal, that we were in HIPAA land. That's classic HIPAA stuff where the privacy and security rules would directly apply. I think what was surprising — and, to a certain extent, unprecedented — about the OCR opinion at the end of last year was that they applied the same view with respect to the first part, the public website. If you go to a healthcare provider's website, you are seeking healthcare. If you are using cookies or pixels on that site in such a way that it will send even your IP address to that third party service provider, and the fact that you are looking around any page on that public website, that that is potentially an impermissible disclosure [of] protected health information and something that could be subject to serious penalties under HIPAA. They’re applying that HIPPA model to everything on the hospital website, and they are saying it doesn't matter if Facebook doesn't automatically learn your name or healthcare condition or anything else. The fact that an IP address goes to Facebook is enough for Facebook or Google, or insert third party, to figure out who you are and to link you with the fact that you're looking for healthcare information and essentially to implicate all of the regulatory apparatus. It was a pretty exceptional decision, which left a lot of anxiety and concern for the hospitals and healthcare organizations as well as the public. We've heard a lot from healthcare organizations talking with patients about what is and isn't disclosed by third parties in the course of using normal tracking technology and helping them understand that just because there was this HIPAA directive and some follow-up enforcement letters, it's not a breach of electronic medical records. We're really talking about stuff on the periphery.
Antonio Rega: I think those are all very astute points. What I'd also add is it almost assumes that it's always the patient logging into the websites when it can be a family member or friend or even someone that could be not really affiliated or looking specifically for health information. It could be someone who is just curious about certain services. I think that the fact that it's so broadly defined or all-encompassing is one of the key areas of concern, and it's one of the reasons why a lot of healthcare-related organizations are really reassessing, vetting and concerned about how they have their current configuration set up, among other concerns, of course.
Morgan Ribeiro: There's certainly a lot packed into that bulletin. If HIPAA-covered entities and business associates use tracking technology, hat is this bulletin guiding them to do? I want to jump into the more practical implications of this.
Paul Bond: Their first line implication is don't use these technologies unless — essentially, if HIPAA applies, and this is a disclosure of protected healthcare information, you're only allowed to disclose protected health information under a few circumstances. You can do it with the informed knowing consent of the patient. You can do it for certain other treatment-related purposes. You can do it in connection with a vendor with whom you have a certain type of agreement, a Business Associate Agreement (BAA). The options are don't use this third party tracking technology, use third party tracking technology and limit or obscure the information that you're sending that's arguably not protected health information. Enter into a Business Associate Agreement with the third party that you're sending the information to. The other option is to get informed knowing consent, which is a very high standard from the individual patient. Antonio, is that generally the framework?
Antonio Rega: Oh, absolutely. I think those are some of the key areas and we'll be sharing momentarily a few more specifics from a from a technology perspective and a website configuration perspective or at least considerations of what could be considered potentially in violation, but I think you've covered it all quite well.
Paul Bond: There's one point that, before we get too far, I don't want to miss. When we look at what the definition of protected health information is, part of it has to be it's personally identifying information. There's been regulatory controversy and controversy in court, over what's really personally identifying information. In HIPAA, there's a list of things that you have to take out of a data set to say that it's de-identified, not personally identifiable information. So you'd have to take out the name, you'd have to take out the Social Security, take out the address, the phone number. Even including something called an IP address, which not everyone may be familiar with. Antonio, can you explain what an IP address is and how it's linked to our online activity?
Antonio Rega: So an IP address is essentially a unique identifier that's tied to a computer and oftentimes is part of the header information of a given URL and website. That detail is typically included whenever you're visiting a website. So that IP address could tie you and your activities to your browsing sessions as well. It's an added identifier that allows tracking tools to be able to have an additional piece of information, including potential geolocation. While it's not always very specific and targeted, it could, it could vary depending on how focused the geolocation is, but it does indeed include that along with other potential identifying information.
Morgan Ribeiro: I think that it's helpful to have that definition as well. I think we should also look at the practical implications of this, and that is, how do privacy and security departments work with counsel? A lot of counsel right now are really facing this, this new frontier, right? A lot of them do not get into this, you know, being a general counsel at a healthcare company, knowing the ins and outs of data privacy and security, and it's just such a new area. And that partnership between privacy and security departments, you know, all the folks that kind of live and breathe this every day, but how do they really work together to comply with this new guidance and ultimately mitigate litigation and regulatory risk?
Antonio Rega: I could cover a few of these initially, and then Paul could chime in as well. Though I will say that he already touched on some of this already in his prior response, which is strongly consider removing certain tracking technology or limiting their placement on certain sensitive pages. So really understanding how you have your marketing analytics to set up and and how they're configured, and what type of information is potentially being sent to these third parties. That's very important. We talked about Business Associate Agreements and ensuring that that is either signed by third parties or really revisiting the extent to which certain third parties refused to sign those and whether or not it would make sense to no longer continue to have and utilize that tracking technology in most scenarios. Evaluating and improving governance over new websites and mobile apps for compliance purposes, including the hardening of procurement and vendor oversight programs and the development of rules of the road for healthcare information technology, marketing and digital teams within an organization is very important. Another thing that is, again, heightened scrutiny now, and we talk about anonymization and masking of personal information, but that's really going to emphasize even more greatly now with some of the more recent guidance. So vetting the masking protocols for any transmission of personal information and making sure the ID masking is HIPAA compliant. It's not enough to just necessarily involve cryptographic hashing because it can be decrypted. What it also needs and this is, I believe, specifically called out as well, is including a secret key, which is essentially a password. Hashing without a secret key makes your data susceptible to a dictionary hack where the attackers could use cross-referencing of data sets to identify the user, which of course would raise all manner protected health information flags.
Paul Bond: I'd say that working with the technical side and working with the legal side is hugely important. It's even useful to involve late litigation counsel before there is litigation, if nothing else, to understand reports from the field about which kinds of healthcare entities are being targeted, why they're being targeted and what's being said in the complaint. I think this is one of those things where the word is getting out for sure, but there's still a lot of healthcare organizations where this is not on the top of their list of compliance concerns. And they may think, we're not doing anything weird or funny with Facebook or third party track. The answer really is you don't have to be. The kind of thing that we're talking about, this Facebook and Google third party tracking, at one point more than 90 percent of the top 100 healthcare providers were using these. Not for any nefarious purpose and not just for even promotion. We've seen claims over cookies that are used for security purposes, claims over cookies that are used to to find broken links or to understand how people click around on a site. This is a very generic technology widely used for these purposes. I think the risk awareness has to even flow down to that sort of plain vanilla technology.
Morgan Ribeiro: Is there anything that you all would want to note about this activity that we've seen related to the bulletin and what's resulted from it, since December of last year?
Paul Bond: Since the December bulletin, we have seen a few additional developments on the regulatory and legislative side. For example, on May 22 of 2023, the American Hospital Association (AHA), sent a letter to OCR on the HIPAA privacy rule online tracking guidance, and they objected to the guidance on behalf of the AHA, urged HHS to modify or rescind the guidance. They said, look, it's way too broad because again, what you're talking about in this guidance isn't just what's behind the patient portal, which we can all agree is protected health information (PHI). What you're talking about is the information that's available to the world. These public web pages that are used by a variety of people who are not just patients, but can also be family members, employees, bots who are doing scraping, people who are researching medical conditions or people in the community. There's no reason to think that everyone who visits a hospital website is a hospital patient. They also said, look you're misunderstanding the technology. You know, under your reading of this rule, HHS, even information that is temporary, it doesn't really link to anyone in any permanent or reliable way would be considered protected health information. They say it's too much and you're penalizing the normal use of technology. But in July, the Federal Trade Commission and OCR sent warning letters to 130 hospitals, seeming to double down on their positions in the bulletin, and sent out a joint letter saying, "hey, we mean it, we notice that your hospitals are or have been using some of this technology. We want to draw your attention to the guidance that we previously issued and you continue with the use of this technology at your risk." In September, the AHA sent a letter to the Senate Committee on Health, Education, Labor and Pensions, essentially urging HIPAA to be amended and/or for this guidance to be rescinded. But so far, the guidance the HHS gave in December is still on the books. They are still open to enforcement of it, and I would say seem to be moving from education mode to investigation mode, I assume. And the the class action lawsuits keep on piling in.
Morgan Ribeiro: Antonio, anything you want to add there?
Antonio Rega: The only thing that I would add is, from our own experience, all the things that Paul touched on has led to increased attention and outreach from healthcare organizations to us to help in an expedited fashion, frankly, in helping them with their guidance on how their websites are currently set up, what their potential concerns are, doing an assessment and vetting of the risk profiles that may be in play, whether or not they have these third party tools set up properly. You know, I touched on earlier, and Paul mentioned it again very astutely, about the other entities that may be visiting the website, and the bot example is a very good one because that's a very routine process that seems to be wholly ignored as part of this updated guidance. I think right now, because of the uptick in investigation and litigation, it's creating a lot of concern among key stakeholders and organizations. While that is an area that we can advise on and provide recommendations, it's also something that, at least at current pace, may not be sustainable long term.
Paul Bond: It's easy to fall into extremes when considering this issue. Now, I think the OCR position from December of 2022 is one level of extreme, considering essentially any click anywhere on a hospital website potentially PHI. There's the other extreme, which is not knowing about or ignoring some issues in connection with data transfer. And then I think most people are aiming for that middle of the road, which is understanding the importance of securing and keeping confidential access to electronic medical records and then looking at their website with kind of a heat map in mind to understand. For example, here are the risk factors for the public website, including proximity to the patient portal. Is this something that leads, even if it's not where you sign in yet, is it something that leads to where you sign in? That seems more dangerous than directions to parking or something that where you are specifically searching a particular condition or looking for a particular type of doctor. Those things are part of the heat map that then you can decide to reduce tracking on those red zones or enter into BAAs or do something else.
Morgan Ribeiro: We've spent a lot of time talking about the OCR and the bulletin that came out last December. Beyond that, the FTC has also come out with some decisions and given some attention to this topic. We actually recently covered this in podcast with Holland & Knight's Ashley Thomas. I'm curious just to get thoughts from both of you on recent enforcement activity by the FTC on this issue.
Paul Bond: There's a limit to how much I can comment on that other than to say the FTC is very serious about this issue. They have for years been gearing up their technological sophistication and independent ability to test and verify what companies are saying about their privacy practices, to test whatever they're not saying. They do seem to be, again, as with many branches of the government, moving from a long education period into more of an enforcement mode.
Antonio Rega: I would just briefly add that as far as organizations, that the potential negative impact to their brands is, is quite notable and also a big influencer in how they may choose to proceed or their considerations. Negative news, any sort of indication of litigation — those are all things that can potentially dramatically negatively impact the brand. Of course, those organizations that have cyber insurance panels and the impact that that would have on various types of cybersecurity-related insurance that they have in place, these are all things that absolutely have a pretty dramatic impact potentially on an organization's thinking and procedural internally on how they choose to apply their strategies to these types of news items.
Paul Bond: For sure their licensure and their status as a regulated entity in their position is, close behind is litigation liability, the risk of liability. I know I said we've been tracking all these suits, and there haven't been so far, you know, multibillion or hundreds of millions of dollars jackpots. But the cases are still in progression. What plaintiffs threaten, what they demand when they file a complaint is they say, "look you violated this state wiretap law." We dispute that. The state wiretap law provides for $100 per day or $1,000 or $10,000, whichever is greater, depending on the state. So potentially $10,000 times you 2 million visitors, $100 per day times two or three years times you millions of visitors. Then the money becomes cartoonishly large really quick. Until some of these suits are batted down one way or another, that risk is going to be something that it's difficult for institutions to quantify realistically and it's difficult for them to work through.
Morgan Ribeiro: You're looking at OCR, FTC, the U.S. Securities and Exchange Commission and other regulators have inserted themselves into this conversation and issued guidance on the topic. We've talked about some of the negative impact of noncompliance with the guidelines, but anything else, Antonio, that you might note here?
Antonio Rega: I think other than the key issues that I referenced, just with respect to the impact to organizations and their internal infrastructure — and this is something that we'll touch on towards the tail end — is this is really just how they handle these things and the extent of attention, and already touched on this because it's an important point is, you know, determining the extent by which they need to focus their attention on this as an organization. A lot of this, of course, will depend on how confident they are in their risk posture and their privacy-related guidelines internally, the extent to which they may or may not have something formal in place. I think the key factor here is just there is a sense, depending on the organization, that there's a little bit of scrambling about how to deal with it internally and how to manage their resources internally and how much attention they should be focused on to deal with these issues. As you know, the news tends to increase in frequency as far as litigation and related actions.
Paul Bond: Another consideration here is trust. Trust is the currency of being a healthcare provider, especially these days. This is one more thing for patients to worry about. To be able to quickly and easily explain how you’re keeping them safe and their information private is only going to help you fulfill your mission.
Morgan Ribeiro: So if you are faced with a class action, are there certain things, recommended steps that counsel and others at a healthcare organization should be considering as far as data preservation or analysis measures?
Paul Bond: That's really well put, and obviously we rely on our trusted vendors for a lot of this legwork. I will say part of what we do when there is a suit, in addition to the preservation of first party data, there's the issue of reaching out to third parties who have assisted with the placement of ad tech. So if your hospital or healthcare organization relies on third party marketing companies, as many do, and they have the controls or they have the records, you can make sure that those are being preserved. And then I think the, in addition to preservation, the other kind of data, one thing that we're thinking about, is what changes do we want to make to the website now in terms of presentation, policies, terms or use of the tech? Because what happens when somebody files a class action over one of these things is that you flip from a situation where they say you should have known X, Y, Z, what's happening to them, saying, you know, I put you on notice. If there's a feeling that any of the points made in the complaint is valid, you know, now's the time to shore things up in our confidence moving forward.
Morgan Ribeiro: I think just maybe to dive into some more specifics on any additional recommendations that either of you might have for organizations that want to proactively be preparing for this new world or otherwise, how to best position their organization kind of after a class action. So just curious if you all have any additional tips or guidance and maybe more specifics on how healthcare providers need to be thinking about this?
Antonio Rega: I could, I could start, and then I'm sure Paul will have added comments, too. Some of these are recurring themes that we, we hinted at or alluded to earlier. The healthcare marketing teams and their vendors need to keep in regular contact with legal compliance, privacy, IT teams, all the internal key stakeholders, about the potential implications for HIPAA violations due to the deployment of tracking tech tools from third parties. And some of the ways that could be done is setting up internal working groups or committees where there's regular meetings to establish proper internal communications across key stakeholders in compliance, privacy and the website managers. Some companies are now requiring pre-approval prior to the installation or deployment of certain ad tech or tracking technology. We touched on this already, and it's worth underscoring again, is aiming to have these third parties sign days prior to utilizing any of these tracking tools. Meta and Google are two examples of organizations that will not sign BAAs, or at least they've indicated that they wouldn't. That's obviously something that, that factors into the decision making process. Then also internal training on website usage. Website managers need to be aware of the changes and definitions of what's deemed personal information through these new regulations, case laws and regulator guidance. I'll also just very briefly add that we sometimes help organizations by conducting reverse penetration testing where we could identify and flesh out what sort of information was leading an organization as far as potential personal identifiable information (PII) or PHI, so those are steps that can be taken.
Morgan Ribeiro: Very helpful. Anything else that you guys want to add?
Paul Bond: No, I think this was a great conversation. Thanks for having us. And I think this will be a spot to continue to watch as we move forward.
Antonio Rega: Yeah likewise.
Morgan Ribeiro: Awesome. Thank you both.