Healthcare system websites continue to face uncertain regulatory terrain

Health
By Liam

Data collected on unauthenticated provider websites and shared with third parties still poses a liability for regulators and a potential trigger for class action lawsuits, said Iliana Peters, attorney and shareholder at law firm Polsinelli.

Broad scope of third party data

The battle for online hospital record keeping has been going on for the past two years, ever since a Baltimore patient filed class action lawsuit against Facebook parent company Meta Platforms, claiming it was using it tracking tools to access patient information of healthcare system websites and portals for targeted marketing.

Since then, politicians have held hearings on Capitol Hill. The U.S. Department of Health and Human Services has issued new tracking rules. The American Hospital Association has withdrawn and filed suit.

Most recently, HHS filed and quickly dropped an appeal in AHA v. Becerra, which sought to bar enforcement of the Office for Civil Rights rule governing the use of online tracking tools.

What comes next is uncertain, but healthcare organizations still face a significant burden, Peters says — and they need to stay aware of how their tools can leave them vulnerable to costly lawsuits and civil penalties.

“They (not) Realize the magnitude of the data collected by these third-party entities,” Peters said.

A study published earlier this year found that sharing hospital website user data with third parties is common. The privacy policies of the providers examined in the study were largely inadequate in how they disclosed the use of third-party tracking technologies to consumers.

Last summer, after HHS dropped AHA’s lawsuit against Becerra, the hospital group applauded the fact that health care systems can “securely share reliable, accurate health care information with the communities they serve without fear of federal civil and criminal penalties.” ”

But Peters says questions still remain about the use of other tools such as appointment scheduling, geolocation features, translation tools and chatbots on unverified websites.

“Other activities might well be within scope, because the ruling does not say that they are not,” she explained.

“The state law requirements are all still up for debate, and in some cases are stricter than HIPAA. So honestly, this didn’t change much.”

“You still need to take steps to protect data,” she said.

Trolls in gray areas

Peters, once OCR’s acting deputy director for the Data Privacy and Security Program at the end of a 12-year tenure at HHS, said that HHS has opened more than 100 cases related to this activity under HIPAA, while states and the Federal Trade Commission also has initiated multi-million dollar lawsuits.

The biggest risk is a class action lawsuit.

“We are seeing hundreds of thousands of lawsuits related to these activities and demands from plaintiffs’ attorneys,” she said.

They troll healthcare websites with publicly available cookie trackers.

“Anyone can get one.”

They then review the entities’ terms of use in their online privacy policies to see if these activities are discussed, if consent is obtained, and if other applicable legal requirements are met.

“Several of our clients have received multiple demand letters for thousands of dollars from various plaintiffs’ attorneys in this regard,” Peters said.

“It really is the Wild West right now and the plaintiff’s lawyers are taking full advantage of the lack of good case law.”

Providers must remain risk-averse

Understanding all the data that third-party tools collect and use and following all legal requirements for consent and data use can be a tough task, especially for those dealing with multi-state requirements and all the different types of data, said Peters.

While the policy is not clear about data collected on public websites, it is not clear “why all this protection is needed for data when it is very likely that the person who is the subject of that data does not expect that data to be protected.” “

The hard part for health care organizations “is that they have a mission and they need to meet their patients where they live, in the language they prefer, with services that are easy to find,” she said.

They cannot do this because many of the suppliers who provide translation and mapping services do not sign agreements with business associates. But there is a lot of confusion because much of the data in question, under HIPAA, can be put on a postcard and mailed for all to see, she noted.

“It’s like trying to reconcile an equivalent of an electronic postcard.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

You might also like More from author