Andrew Mahler, Vice President, Consulting Services, Privacy & Compliance, Clearwater, speaks with Robert Kantrowitz, Partner, Kirkland & Ellis LLP, about the evolving regulatory and enforcement landscape around pixel tracking and operationalizing policies and practices to mitigate potential liability. They discuss what tracking technologies are, OCR’s bulletin on tracking technologies and how organizations are responding, strategies for effective compliance, and where the overall conversation about tracking technologies and enforcement is headed. Since this podcast was recorded, the American Hospital Association has sued the Department of Health and Human Services to bar enforcement of its new rule restricting the use of third-party technologies. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Andrew Mahler, Vice President, Consulting Services, Privacy & Compliance, Clearwater, speaks with Robert Kantrowitz, Partner, Kirkland & Ellis LLP, about the evolving regulatory and enforcement landscape around pixel tracking and operationalizing policies and practices to mitigate potential liability. They discuss what tracking technologies are, OCR’s bulletin on tracking technologies and how organizations are responding, strategies for effective compliance, and where the overall conversation about tracking technologies and enforcement is headed. Since this podcast was recorded, the American Hospital Association has sued the Department of Health and Human Services to bar enforcement of its new rule restricting the use of third-party technologies. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And the tech enabled twenty four seven three hundred and sixty five security operation center with managed threat detection and response capabilities . For more information, visit clearwater security.com.
Speaker 2:Good afternoon. Good. Uh, good morning to everybody. Uh, thanks so much for joining the podcast today. My name is Andrew Mahler . Uh, I'm the , uh, vice President of Compliance and Privacy with , uh, Clearwater Security , uh, uh, a leading , uh, provider of , uh, consulting services , uh, within the healthcare industry, cybersecurity, privacy compliance. And with me today, I've got Rob Treitz , who's an associate with Kirkland and Ellis. Um, Rob, welcome and why don't you introduce yourself.
Speaker 3:Hi, thanks. Thanks for the introduction for , uh, h l a , for, for having us today. Uh, my name is Rob Kendrick . I , uh, uh, am attorney at curriculum analysis in the New York office. Uh, do a lot of healthcare mergers and acquisitions, but also healthcare regulatory work with , uh, main focus on healthcare, technology and healthcare data privacy. So, really happy to be here today. Uh , one thing I have, I have to do is the , uh, typical disclaimer language, the opinions or statements made, made today are not of Kirkland analysis, but are , uh, my own.
Speaker 2:Sure. Thanks. Thanks, Rob. And you know, what we're here to talk about today is something that has, has been really widely discussed , um, in , in a variety of contexts and, and, and environments over the past year or so. And that's of course, tracking technology and, and some of the ethical and regulatory and , and legal concerns that , uh, it raises for organizations. And, you know, my, my hope, Rob, is that we can share a , a bit of a different perspective today and , um, you know, maybe as part of that, why , why don't you share a , a bit of your background and , um, how, how you got to be at Kirkland and Ellis.
Speaker 3:Oh , yeah. Um, happy , happy to do that. So I got into an interest in healthcare by
Speaker 2:My
Speaker 3:First year of law school, interning at a pharmaceutical company in the area . Kind of fell into the role , had no healthcare background whatsoever. My family's actually in the food business , so go figure . And I've just found it really interesting just the idea of working in, in the space and understanding how this, the work that's done in healthcare impacts people's lives. I thought that was really interesting. And seeing, seeing different innovative technology and developments and both life sciences, healthcare and things like that. So I found it really interesting there. And then , then from, from my first firm, I did a little bit of a general work, but gravitated towards working with , uh, you know, a , a mentor of mine who had a lot of experience in HIPAA and other types of healthcare data privacy matters. So did a lot of , uh, work with her. And from there, it just ended up at Kirkland through, you know, happenstance and certain opportunities presented themselves. And I really like doing the mergers and acquisitions work, and, you know, Kirk Kirkland's a great place to do that, considering the volume of, of deals we do. So yeah, that's how I kind of got to where I was and always have an interest in doing healthcare, data privacy, healthcare technology, and , uh, yeah, excited to be here today.
Speaker 2:Yeah. Great. Thanks, Rob. And you know, my, as, as you know, you and I talked earlier , um, I , my background is, is more in the compliance world and , and regulatory world. I, I tell people I'm a fake lawyer. Um, I , I started my, my career in this at, at O C R while I was in law school as an intern and, and got really interested in the work. Um, got to work on the first , uh, million dollar resolution agreement , um, many years ago. And then left and built privacy and, and compliance programs. Did a lot of work in the research compliance context, worked with hospitals, academic medical centers, and then, and then went on and , uh, in , into the consulting world and have been working with those types of people as well as , uh, their outside counsel for , uh, for about seven years now. So, really excited and, and looking forward to conversation where maybe we can share unique perspectives of, you know, how compliance officers, privacy officers, security officers think about this and, and then their attorneys. And there may be, you know, we may figure out there's some differences in approaches or, or some unique , uh, thoughts that our listeners should be , uh, thinking about when they're, they're discussing this internally .
Speaker 3:Yeah, Andrew, you shouldn't sell yourself short though. 'cause I'm sure if you asked a litigator, they wouldn't think I'm a real lawyer either. So, <laugh>,
Speaker 2:Right? It's like all, all in the eye of the, the holder, I guess <laugh> . Um , well, so why don't we just jump right in. Um, you know, without rehashing, you know, all of the ins and outs of tracking tech, I , I think it'd be helpful at least just to set, set the framework a bit. Um, and why don't you just share a , a little bit about the high level overview for those that may not be as familiar with , uh, with tracking tech and, and what that is.
Speaker 3:Sure. So the
Speaker 2:Tracking technology,
Speaker 3:When you think about tracking technology, and they're not, you know, one of the things is not just the delicious treat, but also cookies , uh, which are, you know, small text files that are placed on a user's browser and typically are customized to help you , excuse me, used to customize a user's browser experience and things like that. Or, you know, most commonly some people are like, oh, how did this stuff, how did the website remember that my , the items I put in my shopping cart are still in my shopping cart? That's, you know, a very common example of how these, these technologies are used. The other one is tracking pixels, which are kind of small, hidden graphics with bits of code that I guess allow the website owner or a third party to track a user's visit on the website. So things like engagement and activity and the tracking pixels typically follow or can follow users across their devices and cannot be disabled or cleared like cookies, generally speaking. And other tracking technologies include session replay scripts or fingerprinting and using unique sets of configuration on the device to identify it and track user activity . So that's kind of a, a broad overview of don't , not trying to get too technical with it, but The best way to think about it is just kind of an invisible tracker when you're on a website or an app that, that tracks your motions and movements or clicks or things like that when, when you're doing, whether it's shopping or just browsing a website, trying to look up information. And so you are being tracked whether you like it or not sometimes.
Speaker 2:Right, right. Yeah. And, and, you know, correct me if I'm wrong, but most of these, when we're thinking about pixels or tracking tech in general, these are, these are things that have to be more or less manually added to, to websites and applications or these things that, you know, as, as somebody's building a site, they sort of come along with the script.
Speaker 3:I , I mean, a lot of depends . I guess it depends who you're using, right? I think when you're, when you're working with Google com commonly, right, getting Google Analytics, sometimes <laugh> , turning those on and off is not always something that , uh, people think about when they're, when they're using 'em . And I guess that's kind of nature of our conversation today, right? It's , uh, the , the ability, the understanding that a lot of these track pixel tracking technologies are taken for granted when , uh, different organizations set up a website and track activity on those websites. I don't know if that answers answers the question, Andrew.
Speaker 2:No , no, that's , I mean, the reason I asked is, I mean, is is exactly what you said. I mean, I , I think it's, it's helpful especially for those that are thinking about this sort of at the operational level, you know, to, to think about how they can have some , uh, power and control over , uh, over the discussion and, and help, you know, either minimize risk to patients or, or plan members or, or the community as well as the organization. So , um, I , I think that's, appreciate the answer there. Um, and you know what, what I think is interesting, and I don't, I I don't know if you have the same perspective, but I think outside of some small circles, this, this conversation is, is pretty new, right? I mean, I , I don't, I don't really remember ha hearing a lot about tracking, you know, ad tracking issues, at least from a potential regulatory or a litigation perspective. Um, you know, didn't hear a lot , um, but before last summer or so, and I , I don't know from your, your perspective, you know, if you were hearing about it and what, what conversations have been like.
Speaker 3:No, so, so yeah, I would say relatively speaking, it's, it's a newer issue that those are paying attention to it. And I would, that doesn't minimize the fact that people are really paying attention to it now, or hopefully they are. 'cause regulators certainly are, and plaintiff's counsel certainly, certainly is. So , uh, I think back in, was it June 22, 22 already? Yeah , it's , it seems way <laugh> not as long ago as it as I guess it is, but the certain publications, I think it was like the version , the markup came out with articles talking about how they're certain pixels that are on a lot of hospital websites and things like that. And it , it , it gain gained a lot of buzz throughout the industry. And then from there, certain regulators seemed to be interested in it. And also some hospitals got a little panicked perhaps and certain self-disclosed for , for instance, with respect to the breach portal for O C R , for those who don't know , there's, there's something like , some people like to call it the O C R wall of shame. You end up on there if you have a breach of over a hundred, 500 individuals, 500 more individuals, and certain hospital systems went ahead and did that based on their reading of the use of pixels considering an auth authorized use of disclosures. And then O C R took notice and came out with their bulletin. And, and I think Andrew, you've, you've ta taken a look at that as well, and I , I wonder what your impression of that is.
Speaker 2:Yeah, I mean, it's, it's certainly a , um, I would say it's a , it's somewhat controversial with within our client , um, base, at least from what we see. Um, you know, O C R uh , appears to have taken a pretty broad , uh, reading and interpretation of, of, you know, how some of these , um, well, I guess I'll say a pretty maybe prod interpretation of even what, what protected health information could be. And , uh, you know, I think back, even, even maybe before the Dobbs decision, you know, with, with the pandemic, there's lots of conversations about what is and isn't, P H I and, and , uh, you know, how can we get a handle on, you know, what, what might be public health reporting versus what, what is truly p h i, you know, maintained, received, transmitted by a covered entity or business associate. And then getting into the, the sort of the wake of the Dobb decision, a lot of fear and uncertainty around how technology could be used to identify people and, and, you know, maybe in ways that you're identifying actual patients and, and maybe also in ways that there may, they may not be patients or they may not be , um, individuals, you know, may not be p h i data at issue, but, but could raise some risks to that person. And , uh, and so as you said, you know, O O C R worked to put out this bulletin and, and really what, what the big statement from the bulletin is, is that, you know, any regulated entity, right, which is a , could be a covered entity, it could be a business associate , um, not permitted, and this is, I'm just taking this right from the bulletin, not permitted to use tracking tech in any manner that results in an impermissible disclosure of P H I , uh, to the, to the technology vendors or, or would result in other violations of the rules. And so that kind of brings us back to what you were saying about the self-disclosure piece, the, the breach notification piece. Um, you know, after this bulletin was released, at least certainly some of our clients , um, we're not quite sure how to respond to it. And they, they sort of looked at their, their , uh, their inf their online presence and online infrastructure and said, well , yeah, we, you know, we've got tracking tech enabled on some websites, we don't really know what it's exactly, if it's collected P h I or not. And so we're gonna report that as, as a breach , uh, because conceivably, you know, you could, the information that's being gleaned by the site and then transmitted to Google or Facebook or, or whomever else is information that could be p h i, it could be an IP address, or it could be a , a name or a, a a location. And then it could relate to past, present, or future, you know, medical care treatment, right? Because it could be somebody that's visiting a hospital website to, to find a clinic near them. And, and , uh, it could potentially be something that's, that, that O C R might interpret as, as p h i , it's maintained by a covered entity. Um, and so they took a couple different approaches as they were, you know, I think they, O C R was sort of putting their heads together and I , I can't get in their heads, but I can sort of imagine that, you know, they're trying to put some, some boundaries up. And so the bulletin really outlines a couple different , um, you know, a couple different, I guess I'll say aspects or environments that, you know, may raise different levels of risks. And that's, that's the pages that are authenticated. So pages where you're having to enter in, you know, usually a , a username password that's linked to an account. Um, and of course, you know that, that I , I think many people would probably agree that's, that's likely p h i you're likely a patient or, or a family member of one. And then O C R said, well, there's, you know, other things that are, that are in unauthenticated webpage, and these are those pages that , uh, you don't have to authenticate. Maybe a homepage might be , um, you know, maybe another area of the website. But I , I think what's interesting is that, you know, O C R says, you know, even on those unauthenticated webpages , um, could have access to P H I and, and in which case the , the privacy rule , security rule applies and, and could be an incident that needs to be assessed as, as a potential breach. Uh , and then they give some , uh, of course, some, some examples to, to sort of help guide that. And, you know, I don't know from your perspective , uh, you know, first of all, Rob, I don't know if you have anything to add to that or clarify, but I also curious how your clients and, and how you're helping, you know, your clients think through this bulletin and think through some of the risks.
Speaker 3:Sure. Uh, well , yeah, and , and, and to , to the, to your point about the authenticated versus unauthenticated Yeah. The , the , the unauthenticated areas and their guidance is a little gray and probably by design, right? So giving, giving the regulator a little bit of rigor , wiggle room to weigh kind of the facts and circumstances of different situations, right? Sometimes maybe, you know , say it's a hospital website and you're just generally browsing, you move, you're , you know , someone whom just moved to a neighborhood or a city and they're trying to see what hospitals are nearby or something like that, right? You're not really a relationship with the , with any of the hospitals or necessarily have a condition, or , uh, would , would there actually be health information there just by browsing around, right? Versus maybe on an unauthenticated page for a specific, you know, cardiologist's office and maybe , maybe, maybe being inferred, right? That person has a heart condition or something like that, right? So there , there, there's definitely some wiggle room there, and it'll be interesting to see once, once O C R decides to enforce move , excuse me, move on with enforcement action here. I mean, and , and maybe I could talk about this a little bit in a , in a minute, but the F T C has been enforcing the use of pixels recently, you know, earlier this year, they've, they've been, they've been on it, O C R hasn't, hasn't done so, but they've F T C and O C R clearly and step in step , right? I mean, they sent that letter out, warning a hundred and something different hospitals and telehealth providers that of the risks of using pixel tracking. And I don't , I don't know , I see this as a pretty stern warning that should, that, that these entities should get their act together and really understand what they're doing with respect to pixels, how are they using it? And develop some sort of compliance mechanism with respect to them. And, you know, if, if needed potentially turn off the , the tracking technology and in certain circumstances maybe keep , keep them on, right? So, so there, there seems to be a warning that this is what O C R is thinking about, not only F T C and, and it's something that we can expect down the pipe. Now, in terms of your other question about what we're advising clients, I think the biggest thing I would say, and the biggest concern is education, education, education, right? So I think the question we've been getting is how do we educate our teams? Now, we sometimes get that question from , uh, a , a private equity sponsor as multiple portfolio companies and, and how to educate all of them and , and the use of pixel tracking and to take this seriously. And then also too , from strategics or an actual just, you know, healthcare entity generally, how do I educate our internal folks, whether it's the business team, the tech team, so that they understand that these pixels, yes, they might be a great business, but there're some regulatory risks that can go along with them. And so I think the education aspect is the biggest thing that we usually try to advise them on a , on a broad strokes, you know, every, every client's different, every client situation's different. Sometimes the, the risks outweigh the benefits, and other times the benefits outweigh the risk because it's pretty essential to their business model that the use of pixels continues. And yeah, look, maybe you're not gonna get a hundred percent to be in compliance because not all aspects are easy to, to achieve. I know, like one of the things that O C R ask is with respect to executing a business associate agreement, right? Uh, we at least have not seen , uh, some of these third party tracking vendors being willing to execute business associate agreements. And the other, a the other angle to be using pixel tracking with respect to p h I would be to have a patient authorization, right? So, and that's not so practical , uh, on the , you know, digital, digital aspects on when you have a website, it has a lot of traffic. Getting an authorization from every specific person, meaning the elements of HIPAA is not always the most practical thing to do. So I think it's kind of, you know , weighing in and we, we present the risks there and, and assess what laws they might be subject to or other type of risk , you know, whether it's, you know, litigation, plaintiff risk, and that's, that's usually where we go from there. So I , I don't know if, if you have anything to add in terms of like practical steps on the compliance side, like what type of , uh, mechanisms you would, you would typically have these organizations put in place or what you think it would be, you know, other than educating these individuals , uh, like hard set policies and things like that, that, that you've seen or that you, you know, typically recommend?
Speaker 2:Yeah, we just, we send 'em to their , uh, their attorneys, Rob, so that, that's easy . That's the easy answer, <laugh> . Um, but no, I mean, more seriously
Speaker 3:Ask the buck <laugh> ,
Speaker 2:Right ? Right. Uh , you know, more seriously, it's, it's very complicated, right? And , um, you know, when when we have clients coming to us, of course we're not providing legal advice, even though some of us might be lawyers or, or, or as I said, fake lawyers. Um, it's, it's hard for us because it's, you know, if they're coming to us and saying, should I, you know, is this okay for me to have tracking technology on these, you know, 25 unauthenticated webpages? Well, you know, there's one reading of that bulletin that, that might say no, you know, it may say that there's a risk there, you know, there's potential. Um, there could be a regulatory action, there could be a litigation, there could be, you know, this, this could, this really is a legal question, right? Um, and , and then there's another part that, you know, as a, as a consultant or, you know, even putting myself in the shoes of a compliance officer or a privacy officer, it's, it , it's more complicated, right? You, you mentioned the benefits and the risks. There's a lot of of money and , and the collection and sharing of data, obviously the, the tracking tech, you know, clearly it benefits Google and Facebook and, and those entities, but it , it also benefits the covered entities and the , and the business associates. And, and by way of that, it, it benefits the communities, right? Because it helps, it helps health systems and hospitals and clinics understand, you know, what , what their patient base looks like, how they're interacting with the site. There's, there's a lot of value to that , um, both internally and, and , um, and externally. And so I, I think you're, you're exactly right. It's, it's , um, you know, it's, it's very difficult to, to figure out how you do this in a perfectly compliant manner because you , you mentioned things like authorization and, and as we were talking the other day , um, and thinking about this topic, I , it , it sort of just, it occurred to us that, you know, even if you were to put this in an authorization or put this in a notice of privacy practices, there's probably gonna be a lot of patients who are not gonna be excited to read that their hospital or health system is, is wanting to disclose their data to, to these , uh, these third parties who are gonna then use it for their benefit. You know, do data aggregation, share it further, and, and it could represent some risks to the privacy of that person. So I think that's, that's difficult. You men , you already mentioned the challenges around a business associate agreements and, and some of these large companies that , um, just aren't willing to, to do that at scale. And so, you know, what , what we tend to talk through is, you know, how do we think about this from a, you know, from a reasonable perspective , um, you know, are people, as you mentioned, being educated, do they really understand what this issue is? Um, and , and then how is the organization really dealing with it , dealing with, you know, learning to understand it? And so we, we talk with clients a lot about, you know, of course, policies, procedures, but, but even beyond that , um, collaboration is, is just vital. Um, I , I think it's probably a good idea for, or for larger organizations to think about start, you know, setting up a committee around this , uh, that, that includes key stakeholders from security and IT, and compliance and privacy and legal and, and others , uh, of course, marketing, fundraising and, and, you know, have regular meetings to, to talk through the risks and benefits and, and then to outline those in , in process documents and, and policies and in training that can be targeted to, to people that are , uh, charged with, you know, reviewing the sites or adding the tracking tech to sites , uh, so that they're following, you know, those policies and procedures. And the organization really has to determine, you know, know is there, are there enough benefits to have tracking tech enabled at all? And if there are benefits to this, which there probably are , um, what's the, what's the best way and safest way to do this in a, in a , in a way that , uh, protects our , the, the privacy of our patients. So,
Speaker 3:Yeah. Yeah . And that , that all makes sense too. And, and so I , I guess kinda the moral of the story, right? I think we're both in alignment on the , the education piece, right? Because you take the business folks, right? They're , and the tech folks, they're gonna be like, oh, this is great. Like, we got , you know, the , the , there's the ad revenue and sharing with the Google analytics and getting all this data is always great for us to have as an organization, right? Without necessarily thinking about the, the legal risk . I mean, that's where kind of , I guess the compliance folks and legal folks come in, we're kind of not always the bearer of bad news, but sometimes need , need to reign them in a little bit , uh, you know, I guess so to speak, right? I mean , I think there's a , there's a funny one, I think a , a standup line from Seinfeld where he, where he said like, at all, you, all you can eat buffet is like giving your dog a credit card and having them go to like Petco and say like, get a , get whatever you want, <laugh> . So it's almost like without us educating these folks and telling them what the risks are, they're gonna go and do things that they think are best for the bottom line of the organization, which is what they're supposed to be doing, right? That's, that's part of their job. So , uh, yeah, I think, I think the, the education piece and, and getting everybody and collaborating together is just extremely valuable.
Speaker 2:Yeah. And then I guess the final thing I'd add to that too is, you know, we, we have plenty of examples of organizations that have, that have reported these issues as, as a breach. And I think just adding onto it, and, and this isn't intended to scare anybody, but hopefully this is empowering to people, you know, as you have these committees and as you talk internally , um, look at these as ins , you know, look, look at this from an incident perspective and, and walk through your, your breach assessment tool and, and think about, okay, is does this for us, you know, rise to the level of, of reporting and, and notification and whether it does or doesn't document it. And if, especially if it doesn't , um, document it with the rationale and, and , uh, because the more documentation you have, you're, you're gonna be able to, to show regulators or, or show, you know, your attorneys, look, here's how we've thoughtfully approached this. Um, this isn't, you know, this was new to us a year ago. It's not as new, it's not new to us anymore. We've really been , uh, really careful about how we've thought about it, the thought about the risk, and, and this is what we decided to do. And so I think, you know, that those sorts of, you know, even just hard documentation , um, really, really , uh, really important. Um, so, you know, with that, and I, I know we're probably close to wrapping up at , at some point in the next few minutes, but , um, I'm just curious, you know, where do you see the overall conversation from here going? Like, do , do you, are you thinking there's gonna be, I mean, are we , would you, would you bet money, there's gonna be a resolution agreement by the end of the year? Um, do you, do you see F T C wrapping up and, and ags ramping up as well? What's your, what's your thought ?
Speaker 3:So, I mean, all, all the, I think most of the, the indication, you know, points to this is not gonna go away. Um, I think O C R is, you know, they haven't begun enforcement, but even the , the head of the O C R in an interview, I think it was like the spring, said that this is gonna be enforcement priority for them. That letter, that joint letter with the F T C and, and O C R all , all but indicated that this is gonna continue to be enforcement activity for them , uh, the plaintiff's bar . I mean, you can, you can never expect them to hold restraint, right? And in this , in this type of arena, and the states are, think you're gonna start acting too. I mean, you saw some of , some of you may have saw the in in Washington and , uh, Nevada and other states, they're starting to pass consumer, consumer health privacy laws that many of which seem to be as, as drafted, potentially broaden scope. Uh, I think Washington, there's, there's some arguments to be had that it also captures inference data. And, and a lot of what pixels track is inference data, right? So if some individual is browsing on a website and, and all that adds up to maybe potential the eczema condition or something like that because, or oh , there seems to be clicking on a lot of skincare treatment or something like that, right? That type of inference data, even for something that might not even be health related , maybe some would interpret Washington law to , to do that, or a p a plaintiff's bar certainly would, because there's a private right of action there. In Washington , uh, the F T C has been pretty , uh, aggressive in their enforcement in this space. They have already started, and a , a lot of which is for entities that aren't subject to hipaa, right? So a lot of health app developers are usually subject to the F T C enforcement, and that's where the FT c under its health breach notification rule has u which the FTC, excuse me, has used as a way to enforce pixel , pixel, the use of pixels and , and, and other activities. But one of the things is that this is also addressable, right? I think some of the things that F T C has noted in their settlements is that some organizations allegedly had privacy policies and other type of statements that said that they weren't gonna use pixels or would not intend on using them or sharing , uh, certain types of data with third parties. And then the allegations were that they went ahead and did it anyway. So it's, it's being cognizant of what is being stated in terms of a notice and then getting the proper consents wherever needed, right? So there , you know, it's not to say that pixels can't be used at all. It's just let's, let's take stock of what pixels we're using and, and using them accordingly to mitigate the risk wherever possible from both a regulatory perspective. And then , uh, a , a litigation perspective. And, and the litigation piece is also interesting too, because I think I've seen some mixed results. I think some, some plaintiffs have been more successful than others in terms of going directly after entities for their use of pixels. I think they've been using something like wiretapping laws and things like that. And in some cases they've, they've , uh, moved these lawsuits along and I've , I've been doing pretty well. In other , other cases, the judges have been like, wait, we're not taking such a broad view here. I think the, the judge here in, in one of the cases, I think in Illinois even went on to say something along the lines of that the, the h the H H SS bulletin for assessing liability just doesn't, doesn't work with respect to federal wire tapping laws and things like that. And also the interpretation that O C R had that certain types of pixels aren't, wouldn't necessarily be p h i, 'cause they wouldn't see , see them as I I h i, right? Or individually identifiable health information because it doesn't relate to the past, present, or future physical or mental health or condition of an individual. And so we're seeing mixed reviews there on the plaintiff's side. So that's just, you know, but that's not to say, oh, everyone go crazy 'cause you don't have to worry about the plaintiff's bar. It's , you know , they've been successful in some instances and other instances they haven't been. But I think this has just continued to be an area to pay attention to and, and focus on , uh, from respect to, with respect to a compliance and in-house re regulatory concerns.
Speaker 2:Yeah. And we, you know , uh, earlier this week we had what I, I , I think is the 12th , um, you know, state data protection law to, to , um, to be effective or to not be effective, but to go into place. And Governor Kearney from Delaware , um, I believe signed this earlier , uh, this week , um, and , uh, you know, going into effect 2025, I believe, but it's even that one, it's, it's already being sort of billed as the most restrictive , um, you know, data protection law in the country so far. Um, you know, I think that's dig into the details and really understand , uh, some of the aspects there. But I, I think you're , you know, I think one of the things at least I'm thinking about as you were talking is there's, there's a lot of risk here, right? Um, a lot of risk for organizations. You know, we've talked about some of the benefits , uh, as well. Um, but I , I think maybe a lesson learned here is, you know, tracking tech wasn't really on the radar for a lot of people in, you know, before 20, you know, summer of 2022. And I think as we think about, as we sort of think about tracking tech, I think it's really important for organizations to think about other ways that they may be , uh, using or disclosing data that, that, that may be , um, automatic, it may be electronic, it may be difficult to, to , uh, you know, to really , uh, understand or know, especially if you're a privacy officer, a compliance officer, general counsel. And so, you know, as you're thinking about, you know, you mentioned applications as you're thinking about standing, you know , covered entities , standing up applications, even covered entities interacting with their business associates. You know, I think about, you know, what , what's, what is their business associate , uh, oversight and management look like, and are they submitting data to business associates that, you know, could potentially , um, run afoul of, of the b a a and, and, and of course hipaa if, if then the business associate is, has enabled some of these things as well. So I think it really emphasizes just the importance of thinking, you know, careful thought, a lot of collaboration, you know, working together to , um, to think about what, what the known uni universe is around the sharing of data and you know , how that can be managed appropriately. So with that, I , I don't know if , Rob, anything else, you know, from your perspective to add just, I don't know any , any words of, you know, words of advice or, or thoughts for, for listeners today?
Speaker 3:Yeah, no, that's, I think we covered covered a lot of it too. And I just will say like, one, one add too is in considering the space I'm in, I do a lot of in the , in the deal work , um, I do a lot in the deal space, excuse me. And so this is an area we've been paying attention to as we, you know, diligence target companies. And a lot of our clients both on the private equity side and, and strategics have been asking us about to, to focus on, because the, as I mentioned before, like I don't see this going away anytime soon. So this is a risk that you just need to be cognizant of, not only as an in-house team, but also as a team that's potentially looking at , um, you know, any sort of mergers, consolidations or , um, acquisitions or roll-ups or anything like that is, is really thinking about this not just as a , uh, item for your organization, but as you consider and expanding into new markets and to new , um, territories with respect to , uh, your business, right? So just understanding not only your own compliance infrastructure, but also the compliance infrastructure and use of, of pixels and so on for, you know, like I said, a , a target entity and thi and things like that. So there , as we mentioned before, like one of those things is, you know, how educated are these, these entities going to be? Do they have any compliance programs in place? What do they say on their company privacy policies? Do they have any sort of consents or things like that? Um, are they already currently being investigated by one of the regulators? Do they have a lawsuit already , uh, with respect to, you know, plaintiff's counsel in certain states with, you know, regarding the, the pixels and, and other type of use of data. So these are all things to, to think about and, and really assess. And I think if, if organizations can do this in a smart way and, and learn how to mitigate the risk and just understand what the risk tolerance is, this could, you know, it's, it's not, not an easy road to travel, but it's also one that there, there are solutions to.
Speaker 2:I , uh, I don't, I don't think I could have said it better or closed it out any better, Rob. Um, so don't think I have anything to add to that, but really appreciate the conversation. Um, you know, hopefully it's been helpful to people and encouraging and not just, you know, highlighting the risks. Um, and , uh, really appreciate the time and looking forward to hopefully doing this again sometime soon . Yeah,
Speaker 3:No , I , I'd love to thank you. It's been , uh, it's been great. A lot of fun and , uh, yeah, thanks , uh, talk to you again soon. Thanks
Speaker 2:Robin .
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law org .