In recent years, lots of litigation has claimed the online trackers such as the Meta pixel violate HIPAA (and other federal and state laws) by disclosing protected health information. In response, the federal agency that enforces HIPAA's medical privacy requirements issued guidance in late 2022 to ban common uses of the pixel and similar trackers unless (1) the patient has consented or (2) the provider of the tracker signs a Business Associate Agreement and agrees to be bound by HIPAA. In late June, a federal court threw out that guidance as overreaching.
WHY IT MATTERS
Plaintiffs' lawyers have latched on to online trackers and are aggressively pursuing litigation across the country, claiming that the commonly used tools are a privacy violation. Because they do not have a standard privacy law or laws to work with, however, they have been trying to retrofit old laws – such as HIPAA and wiretapping statutes – to cover the use of pixels, cookies, session replay technology, and other commonly-used back-end tools. Such tools are provided by analytics services, in connection with customer support chat functions, to power shopping cart/merchant services, allow websites to offer scheduling modules, and more. Any small website operator is likely to have at least one such tracker on its site, if it uses services provided by any third party such as a social media company. The plaintiffs' lawyers are going after those smaller site operators in many cases, rather than the large tech companies that provide the trackers.
In the case of HIPAA claims, a scheduling module is often cited as the offending technology because it may allow the tracking site to see or infer what its users are doing when they interact with a medical provider's site. HHS' guidance would have imposed HIPAA-level privacy treatment on such data.