Online tracking tools like pixels are coming to the forefront of the healthcare policy debate.
Last month, the American Hospital Association and several allies in Texas sued the U.S. Health and Human Services Office for Civil Rights in an effort to block enforcement of a December 2022 directive that would ban the use of pixels on websites and mobile apps under HIPAA covered entities and business partners limited. .
In September, attorney Aurora Health agreed to pay more than $12.2 million to settle a class action lawsuit over a pixel-related data breach. A number of similar class action lawsuits against health care systems and providers are pending.
Betsy Hodge, partner in the healthcare practice of Akerman, a national law firm, advises clients on preventing healthcare information breaches and complying with relevant federal and state healthcare privacy laws. She spoke to Healthcare IT news about privacy and security concerns that pixels have raised and how healthcare organizations can implement tracking tools safely and ethically.
Q. What are pixels and what do they do?
A. Pixels are online tracking tools embedded in websites, mobile apps, and emails as small, transparent images containing code snippets that send information back to a server hosting tracking software. They record data points such as IP addresses, browser types, operating systems and screen resolution. They can also be used for targeted advertising. Normally you wouldn't know they are there. They run in the background.
Q. How do pixels differ from cookies?
A. Pixel trackers and cookies often work together to send information back to the tracking technology company about the user and how the user interacts with the site. Pixels reside on websites, while cookies are uploaded to the user's computer or phone. However, cookies can be disabled (by users). Pixels that you really can't turn off that easily.
Q. What are some specific concerns about pixels and health data?
A. There is a lot of health data out there that is not generated or retained by organizations subject to HIPAA, including health app developers. Now the Federal Trade Commission has stepped in to regulate those health apps that aren't covered by HIPAA, because healthcare information is especially sensitive and can reveal a lot about an individual.
There are certain categories of health information that have historically been considered highly sensitive, such as mental health, substance use disorders, and sexually transmitted diseases. Now, in the wake of the Dobbs decision (the 2022 Supreme Court ruling that was overturned Roe v. Wade), reproductive health information is considered highly sensitive given some of the (anti-abortion) laws passed in certain states. Healthcare providers treat this with even greater sensitivity and attention.
The concern is that to the extent health information is obtained by these pixels and then shared with third party tracking technology companies, this could be an impermissible disclosure of that information. The concern is how that third-party tracking company uses that health information. Can they trace the information back to a person and does that person know that that information has been shared with a third party? Unauthorized disclosure of such information could have serious consequences.
Q. What consequences do you see?
A. The Federal Trade Commission has been very active in this area regarding health apps and other health companies not covered by HIPAA, and has recently entered into a number of consent orders or settlement agreements with companies over their impermissible disclosure of health information. including the use of tracking technology. I think about Better help And GoodRx.
We are also seeing a number of class action lawsuits being filed against healthcare systems over their alleged use of tracking technologies and unlawful sharing of data with the tracking technology companies.
Q. How should healthcare organizations and patients protect themselves?
A. From the organizational side, I think the first step is to confirm if and how you are using tracking technologies. Often it may be the marketing department that wants to use the tracking technologies because they want to get data about which web pages are more effective than others or which advertisements generate a better return – legitimate business purposes. But they may not think about privacy regarding personal health information. So first make sure you use these technologies and how you use them.
Educate your employees about the use of these technologies and how they may violate HIPAA or the FTC Act or even state laws regarding sharing personal health information, including training your marketing team or whatever department is responsible for implementing the tracking technologies. Then also understand what data is collected by these tracking technologies and with whom that data is shared.
Some healthcare-related entities develop their own tracking technologies internally and use their own tools. In that scenario, you don't have to worry as much about an unauthorized disclosure because everything is done in-house. But not every organization has the opportunity to do that.
Organizations should also find out what consents or permissions they have from individuals if the health information is shared or disclosed to a third-party tracking technology provider, and then assess whether their practices related to sharing or disclosing data through tracking technology comply with HIPAA, the FTC Act, the FTC Health Breach Notification Rule, or any applicable state law, and then find out whether you need to adjust the way you use tracking technologies to minimize the sharing or disclosure of health information to third parties.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.