This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Court Tosses HHS Rule about Online Tracker Privacy

In recent years, lots of litigation has claimed the online trackers such as the Meta pixel violate HIPAA (and other federal and state laws) by disclosing protected health information.  In response, the federal agency that enforces HIPAA's medical privacy requirements issued guidance in late 2022 to ban common uses of the pixel and similar trackers unless (1) the patient has consented or (2) the provider of the tracker signs a Business Associate Agreement and agrees to be bound by HIPAA.  In late June, a federal court threw out that guidance as overreaching.  

WHY IT MATTERS

Plaintiffs' lawyers have latched on to online trackers and are aggressively pursuing litigation across the country, claiming that the commonly used tools are a privacy violation.  Because they do not have a standard privacy law or laws to work with, however, they have been trying to retrofit old laws – such as HIPAA and wiretapping statutes – to cover the use of pixels, cookies, session replay technology, and other commonly-used back-end tools.  Such tools are provided by analytics services, in connection with customer support chat functions, to power shopping cart/merchant services, allow websites to offer scheduling modules, and more.  Any small website operator is likely to have at least one such tracker on its site, if it uses services provided by any third party such as a social media company.  The plaintiffs' lawyers are going after those smaller site operators in many cases, rather than the large tech companies that provide the trackers.  

In the case of HIPAA claims, a scheduling module is often cited as the offending technology because it may allow the tracking site to see or infer what its users are doing when they interact with a medical provider's site.  HHS' guidance would have imposed HIPAA-level privacy treatment on such data.  

These technologies, which include Meta Pixel code, are added to websites and provide beneficial functions; however, they also collect data on website users and transfer that information to third parties. The information collected may reveal diagnoses, reasons for appointments, health concerns, and other potentially sensitive information that can be tied to individuals by identifiers such as IP addresses. In the case of Meta pixel code, collected data is sent to Meta (Facebook) and may be made available to third parties, allowing targeted ads to be served....Many website users were unaware that their actions on the websites were being tracked and their information was being transferred to third parties. Many lawsuits have since been filed.... OCR’s guidance ... essentially banned these tools unless authorizations were obtained from patients or the providers of the tools signed a business associate agreement.

Tags

data security and privacy, hill_mitzi, insights, health care