Ignorance is no longer an excuse: A Timeline of Events Around Tracking Technologies in Healthcare
In the Latin language of the law, there’s a phrase:
Ignorantia juris non excusat
“Ignorance of the law is no excuse.” The idea being that just because you don’t know that it’s, e.g. wrong to share medical information about patients or users doesn’t mean you’ll get away with it. Your ignorance is no excuse.
But for a lot of the time, HIPAA and tracking technologies have co-existed (the HIPAA Privacy Rule was initially written in 2001; Google Analytics launched in 2005; Facebook Pixel launched in 2015), ignorance does seem to have been an excuse. Healthcare companies and providers used these technologies and shared sensitive information with these companies against the HIPAA guidelines.
But 2022 was the start of an ignorance inflection point. Healthcare providers and tracking companies are now being sued for non-HIPAA compliance, journalists are investigating these compliance violations, and HHS has updated its guidance to be clear about what isn’t allowed.
Even if it was once an excuse, Ignorantia can no longer exist. The suits, the stories, and the guidance are all now in front of you and clear–stop using native tracking technology if you are a healthcare provider or company.
Here’s a breakdown of the nine events over the past year that have led to this inflection point.
January 2022 - Mass General settles “Cookies without consent” $18.4M
Mass General denied that any protected health information was shared, and this wasn’t a strict HIPAA-led lawsuit. Instead, the plaintiffs were suing based on a general invasion of privacy. But the large settlement showed how seriously courts were starting to take online privacy around tracking, particularly in relation to medical privacy.
June 2022 - Investigation by The Markup
A critical juncture in understanding the scope of this problem was the release in June 2022 of The Markup’s investigation into how hospitals were tracking online visitors to their websites.
The Markup looked for the Facebook Pixel on the website of the top 100 hospitals in the US. They found tracking technology on the appointment scheduling page of 33 of these sites. This means these hospitals were sending data about hospital appointments, such as dates and providers (PHI), to Facebook along with the IP address of the user (an individual identifier). This is a clear violation of the HIPAA privacy rule.
Alarmingly, they also found tracking snippets on password-protected pages of seven sites. This means they could have been sending all medical information about people visiting these pages to Meta servers.
The fallout from this investigation was huge, with a number of lawsuits against Meta (Facebook’s parent company) and these healthcare providers in the following months.
July 2022 - Class action lawsuits against Meta
Two lawsuits were immediately filed against Meta and two health systems: and the MedStar Health System in Baltimore, Maryland.
The first lawsuit also dragged in the health systems involved, the University of California San Francisco and Dignity Health. In this lawsuit, a patient claims that the Meta Pixel tool on the UCSF and Dignity Health patient portals sent her medical information to Facebook. As a result, she received ads from pharmaceutical companies specifically targeting her heart and knee issues. This is retargeting.
Retargeting is a core function of Facebook, where Facebook will serve you ads depending on how you’ve interacted with a previous page. It suggests UCSF and Dignity Health shared PHI about the patient’s health and knee problems from their sites to Facebook in order for Facebook to know to show a related ad. Retargeting at this specificity definitely suggests a HIPAA violation.
In the second lawsuit, a patient using the MedStar Health System in Baltimore, Maryland, sued Meta saying that when she logged on, the Pixel sent her information to Facebook, including the URL of the previous page she had been on about breast health. Page URL is a PHI identifier in the HIPAA guidelines, and even though at that point the patient wasn’t logged in, this can still be classed as a violation as Medstar sent both this page information about breast health and the patient’s IP address to Facebook.
August 2022 - Northwestern lawsuit
One month later, and a federal lawsuit was filed in Illinois against Northwestern Memorial Hospital and Meta for sharing PHI.
The plaintiff found out that his medical information had been shared through The Markup’s investigation and sued for $5 million in damages because he alleged his medical information had been sold for profit. He was seeking:
- The $5 million damages
- Class-action status
- An order for Northwestern to remove any code that may jeopardize patient data.
November 2022 -WakeMed, Advocate Aurora, Duke, Northwestern class action lawsuit
November brought two more class-action lawsuits against healthcare systems.
Advocate Aurora Health is a health care system concentrated in the midwest. They had been using Facebook to retarget ads based on medical tests the users had taken or the procedures they had. The PHI of up to 3 million patients had been sent to Facebook.
Advocate Aurora Health is a good example that the intent doesn’t matter. Advocate said that the reason they were using tracking and targeting their patients was to improve the UX of the site and remind patients about preventative care.
WakeMed had fewer patients exposed, around 495,000. Like with many of the sites in The Markups investigation, WakeMed’s appointment page had a Facebook Pixel tracking form data. This data was shared with Meta and, the lawsuit alleges, WakeMed made money from the data sharing.
December 2022 - HHS updates tracking technologies guidelines
Rounding off the year, HHS updated their guidance on using tracking technologies given all the lawsuits building. The idea here was to be more definitive about what was and wasn’t allowed regarding tracking technologies and HIPAA compliance. Specifically,
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
“Impermissible disclosures of PHI to tracking technology vendors” is everything that had already been litigated that year and had been flagged in The Markup’s investigation. The point of this guidance was to make clear two things:
- That PHI can be anywhere on your site, not just within a patient portal. If you are tracking a public page or an appointment page, those too can include PHI.
- Tracking within a patient portal is absolutely forbidden, no matter the intent.
You can read more about this HHS guidance here.
February 2023 - FTC fines GoodRx $1.5M
Link: press release
Come the start of this year, and the news switched away from just healthcare systems to the wider problem of healthcare technology. If you are dealing with any medical information about a patient, user, or visitor, you have to follow the HIPAA guidelines.
The FTC fined GoodRx $1.5 million for “deceptively” sharing information with Facebook and other providers and “cash[ing] in on consumers' extremely sensitive and personally identifiable health information.” It was serving ads to customers based on their use of GoodRx.
GoodRx also got its wrists slapped for misrepresenting its HIPAA Compliance:
“GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.”
February 2023 - Cedars-Sinai Medicine class action lawsuit
February brought another The Markup-related lawsuit, this one against Cedars-Sinai Medicine for using tracking technologies on its website, where it had encouraged users to go, research, find doctors, and book appointments–all data it was then sending on to the tracking vendors, such as Facebook and Google.
The plaintiff in this case saw more health-related ads on Facebook after he had used the Cedars-Sinai website, and saw specific ads for the medical condition he disclosed on that site.
A difference with this lawsuit from the other 2022 lawsuits is that Facebook isn’t a defendant in this case–it’s purely related to the healthcare system and its mistakes.
March 2023 - FTC fines BetterHelp $7.8M
Link: press release
Which brings us to another fine for a healthtech company. This time BetterHelp was fined $7.8 million by the FTC for a similar breach of trust to GoodRx.
Like with GoodRx, BetterHelp had told the users multiple times that all data was confidential and nothing was to be shared with a third party.
But BetterHelp went ahead and retargeted ads to visitors to its site and app using sensitive information they had shared about their mental health. So people who wanted mental health help from BetterHelp saw their problems splashed across ads after they had reached out.
May 2023 - FTC fines Premom $100K and bars them from sharing data with Google
Link: press release
Premom violated the FTC's Health Breach Notification Rule by sharing sensitive health data to AppsFlyer and Google and failing to notify users. This one is a little bit different because it's not a HIPAA violation, but it is still a health information violation, which is controlled by the FTC.
The FTC's settlement with Premom requires the company to stop sharing personal health data with third parties, obtain consent before sharing any health data for any other purpose, and pay a fine of $100,000.
July 2023 - FTC and HHS issue a joint warning about the security risks from web tracking tools
Link: press release
The FTC and the HHS sent a letter to 130 healthcare organizations alerting them that they might be at risk of violating HIPAA for using common web trackers like Meta’s advertising pixel and Google’s analytics platform.
The big takeaway is that this letter isn’t just a warning, it’s more of an ultimatum. The letter essentially said to these 130 healthcare orgs, “Stop sharing PHI with third-party platforms or face serious consequences.”
What will the rest of the year bring?
There can be no excuse now. If you are still using native tracking technology on your healthcare site, you are probably violating HIPAA. Stop now. If you are doing so and lying about it in your privacy policies, you are going to get fined millions of dollars.
More stories like this will come out as a) the clean-up from people not understanding the ramifications continues, and b) people continue to make the same mistakes. Don’t let that be you.
If you want to learn more about why tracking technologies could be tripping you up and what to do about it, download our comprehensive guide.