A recent ruling by a federal judge in Illinois in a case involving the use of website tracking technologies known as pixels raises the question of whether the HHS Office for Civil Rights’ (OCR) stance on forbidding their use on health providers’ websites will pass scrutiny by the courts.
The July 24 ruling from U.S. District Court Judge Matthew Kennelly in a case against Rush University System for Health doesn’t definitively state that website pixels shouldn’t be regulated under HIPAA.[1]
However, the judge disputed whether the tracking technologies fall under the definition of individually identifiable health information (IIHI), saying that “the interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear.”
“Coupled with the Supreme Court’s recent use of the ‘major questions’ doctrine to reject agencies’ interpretations of their own statutes, [Kennelly’s ruling] raises questions of whether the fever over website pixels and analytics on health care websites will result in much ado about nothing as federal courts weigh in,” wrote attorneys Matthew Stein and Scott Lashway of Manatt, Phelps & Phillips LLP.[2]
Suits Allege Privacy Breaches
Hospitals and health systems faced a flurry of class-action lawsuits alleging breaches of privacy following revelations in 2022 that most health care organizations used website trackers that transmitted tracking data to technology giants such as Google and Meta, the parent company of Facebook.[3] In the 14 months since the issue first arose, multiple health care organizations reported breaches to OCR that involved website pixels.
For its part, OCR issued guidance in December 2022 clarifying that covered entities and business associates are not permitted to use the technologies “in a manner that would result in impermissible disclosures of PHI [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules.”[4]
In fact, OCR Director Melanie Fontes Rainer said at an industry event in March that web-tracking technologies represent “an area of enforcement priority and interest for OCR, particularly in light of the public attention we’ve seen” with pixels in reproductive health care, substance abuse and behavioral health, “which we think is problematic. And so we want to make sure we’re being responsive to what we’re seeing.”[5]
The OCR guidance notes that these tracking technologies might exist on a webpage where they can access PHI, in which case HIPAA rules apply. Rainer said in March that OCR’s goal is to drive voluntary compliance with the regulations.
The Federal Trade Commission (FTC) has also been active in policing pixels: In February, the FTC took action against prescription drug discount provider GoodRx for unauthorized disclosures of consumers’ personal health information to technology companies.[6]
To date, OCR has not announced any enforcement actions against organizations using the tracking technologies. However, in July, it teamed up with the FTC to send a joint letter directly to more than 100 hospitals and health care systems, along with telehealth companies, warning them about tracking technologies.[7]
The letter is meant to “draw…attention to serious privacy and security risks related to the use of online tracking technologies that may be present on [their] website or mobile application (app) and impermissibly disclosing consumers’ sensitive personal health information to third parties,” the two agencies wrote.
