AHLA's Speaking of Health Law
AHLA's Speaking of Health Law
Top Ten 2024: Tracking Technology Remediation, Litigation, and Enforcement
Based on AHLA’s annual Health Law Connections article, this special series brings together thought leaders from across the health law field to discuss the top ten issues of 2024. In the ninth episode, Karin Anderson, Principal & Corporate Counsel, PYA, speaks with Carolyn V. Metnick, Partner, Sheppard Mullin Richter & Hampton LLP, about the impact of tracking technology on health care and the accompanying legal and regulatory issues. They discuss what tracking technology is, what OCR is requiring of HIPAA-covered entities, recommendations for health care providers to ensure they are complying with OCR, and current enforcement and litigation activities. Sponsored by PYA.
Watch the conversation here.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
A HLA is pleased to present this special series, highlighting the top 10 health law issues of 2024, where we bring together thought leaders from across the health law field to discuss the major trends and developments of the year. Support for A HLA in this series is provided by PYA, which helps clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business valuations , and fair market value assessments, and tax and assurance. For more information, visit pya pc.com.
Speaker 2:Welcome everyone to , um, ALA's, top 10 issues for 2024 to today we're talking about HIPAA privacy laws , um, and how they intersect with website tracking technologies and more. We're gonna learn what that is. We are so lucky today to have Carolyn Menick with us, a partner at Shepherd Mullen who works , um, in privacy, all things privacy, and we're gonna talk to her today about , uh, I wanted to refer you to her an article that she wrote , um, on tracking technology remediation litigation and enforcement for American Health Law Association. So be sure to read that. But in case you haven't read it, we're gonna talk, discuss today, what that means , um, what the issues are, and then really what to do going forward in 2024 for you. What, what do you need to do if you're a healthcare provider or advising healthcare providers? Um, just quickly before we start, I'll introduce myself. I'm Karen Anderson. I've been a healthcare lawyer for about 25 years. I was a nurse before that. Um, and the thing that I like the most , um, probably like all of us healthcare lawyers are just really helping clients figure out the complicated healthcare regulations that surround them and how to operationalize those or strengthen their compliance programs. And I know Carolyn does the, the very same day in and day out. Um, I work with , um, PYA, we're , we're glad to be , um, hosting these podcasts this year. This has been great fun and , um, and I get to do that very thing, which is work with healthcare providers and clients and advise them, and then also work as corporate counsel . So , um, so enough about me. Let's meet Carolyn. I'll tell you a little bit about her background, but where I'm gonna ask her more questions. Carolyn is a partner in the Chicago office for Shepherd Mullin. Um , she's a member of the healthcare privacy and , um, cybersecurity teams. She is , um, a certified information privacy professional in the United States and Europe. And she advises on healthcare, regulatory, and transactional matters , um, focusing on health, information, privacy, and security. I wanna encourage you to go to Shepherd Mullen's website and look at Carolyn's background in more detail. She's got lots of honors, lots of experience and education. Um, so, you know, she's a real expert on this. So, without further ado, Carolyn, so glad to be with you today.
Speaker 3:It's fun to be with you too , Karen. Thank you so much. I'm blushing from that,
Speaker 2:<laugh>
Speaker 3:From that introduction. Oh , well, thanks. Um, happy to be here. Um , just a little bit more about myself, you know, the healthcare landscape. Karen , as you know, is rapidly transforming through digital health solutions, including ai. Technological advances and big data have changed how providers care for patients, how payers, you know, look at payments. Um, I assist providers, technology companies, and other stakeholders in improving access, engagement, and quality of care. At least I like to think so by helping them navigate this complex regulatory landscape that applies to these models and makes innovation challenging with a focus in all the issues that accompany these arrangements, including how data may be used, how it must be protected, drawing on my HIPAA and health information privacy expertise. So the area that we're talking about today is really exciting. Um, you know, I've had, I guess, the honor of getting in the trenches with clients who are dealing with this, so I'm just happy to have this conversation today.
Speaker 2:It, it changes a lot. And I think one of the best things about this conversation today I thought of was just that, I mean, you've got like up to date questions that they're asking you, like, what are they wrestling with? And I know we're gonna talk about that a little bit more, but I thought as we start, you know , um, those of us, you know, a lot of us order things online and do things online, but we don't necessarily know what it means, right? So what does tracking technologies really mean? I thought maybe you could level set us on that.
Speaker 3:Yes, that's, that's a , that's a great question. Um, and it is, you know, technical, so it's, it's can be hard to understand, but we all are experiencing tracking technologies every day , all , you know, when we're using the internet. So tracking technologies, they can collect, store and analyze user activity across one or multiple webpage. They , um, can also be used with email, which I only found out about recently, and, and mobile applications. Um, so some of the common tracking technologies, and these are probably ones that you've heard of , um, include cookies, web beacons, pixels and scripts, which store and analyze user activity. And, and these technologies are widely used by businesses to improve user experience on their website , to collect information , um, to just kind of improve the user experience, right? Um, tracking technologies are also used for targeted advertising or retargeting. This , you know, where ads are presented to users based on prior activity on the web, right? So you may be using your computer and then an ad for something that you looked up, you know, last week pops up or something. Even like, it can follow your IP address. So, you know, if my husband was looking at a watch or something online and we have the same IP address for whatever reason, it's popping up on, on my computer, you know, <laugh>. So they, they can be convenient, right? Like they may show you something. Um, and , and those are more the marketing ones, which we could have an entire conversation about. Yes . So they can improve , um, your user experience. They can deliver convenient ads. Um, they can also tell companies where you are spending time on their websites and how the websites are working, whether they're working well, whether they're, you know, are kind of flaws. They serve a variety of purposes. So getting back to your question, you know, if you're visiting a provider website, are you being tracked? Um, which I, I think was your initial question, <laugh> <laugh> possibly. But that applies to many websites, not just healthcare provider websites. And there are many public tools that will allow you to see what tracking technologies are available on a given website, actually. So you can download certain public free tools and use them to f to see what is be , you know , what tracking technologies , um, are available, which is interesting. I actually, we have associates, yeah, we have associates that will do this for clients, you know, and we'll get to kind of the legal issues and the HIPAA issues. But I can tell a client what they , what tracking technologies are visible on their website. And , and again, this is public, so, which, you know, which is one of the reasons this is a really important issue because there's legal risk, which mm-Hmm . <affirmative> , which we'll get to. So these tools allow you to see what is on a website. And plaintiff's attorneys, again, we'll get to what the legal risks are, are using this information to figure out what tracking technologies are on a given site. So a company's privacy notice should really disclose these technologies. Um, and it's, you know, where companies get in trouble, and again, I'm not just talking about healthcare at this point, is where they don't have accurate privacy notices that explain the uses and disclosures and what's being collected. Um, and, you know, users are where it's not transparent. And then the FTC and state attorney generals are attorneys general are also looking at these. So not being transparent or accurate in how you're collecting and using information is a problem. Um, so I, I can go on a little bit more that will, you know, to kind of set us up for why this is a HIPAA issue. Um,
Speaker 2:Yeah, I think that's, I think that's helpful. 'cause you're right, we've got these state data privacy laws out there, right? That are really talking about every industry. No . You know, how you're using disclosing for marketing for, you can't sell it, right? All that. So we've gotta comply with that generally. But now if we go to like healthcare providers, right? What , um, we've, we've all been alerted, I think I want you to talk about that too . You know, what , um, what is the Office of civil rights really require now of HIPAA covered entities and why? You know, we think it , it can be a really good thing, right? The tracking technologies, but they're , what they're concerned about, I guess. Will you tell us a little bit more about that,
Speaker 3:Maybe? Yeah. So let , before we get into that, let me tell you a little bit about , um, the information that is being collected and why the OCR cares. Right? Okay. So the information that's collect, that's collected can vary by technology and placement of the technology, right? There are many technologies that are only collecting what's called header information, which is just kind of vanilla. It's mm-Hmm , <affirmative> metadata that includes an IP address and the URL of the referring website, browser , browser type and device type. You can't get that much information from that. It's very hard to find out who an IP address belongs to. You often would have to subpoena an , um, an ISP. So that information I would consider relatively vanilla. Um, although, you know, an IP address is an element within the safe harbor for HIPAA purposes. So it is arguably , um, PHI, so this information, however, is less telling and less sensitive than information that is collected, that is user driven or user entered , which would be information that's placed by clicking buttons, submitting forms, you know, filtering of dropdown boxes , um, entering in values. That information is more colorful. So in December, going back to like why the OCR cares and this guidance in December of 2022, which now is a little while, mm-Hmm , <affirmative> , the OCR, which is the agency that enforces hipaa, published a bulletin, and it really caused HIPAA regulated entities, business associates, and covered entities to reevaluate their practices. And it addressed how these tracking technologies implicate hipaa. And it further emphasized that regulated NC may not use technologies in a way that would result in an impermissible use or disclosure of PHI. Well, hopefully all , you know, all the regulated NC know that they shouldn't be impermissible using or disclosing it, but it really kind of changed the way , um, stakeholders were thinking about this because it explains that regulated entities disclose information to tracking technology vendors through the use of technologies on their sites, and then it distinguished between authenticated and unauthenticated sites. Mm-Hmm . And this is really important to understand, and this also kind of ties into the , um, American Hospital Association case, which , um, we'll get to, I hope in our conversation Mm-Hmm . But authenticated sites require a user to log in. So think of like a portal that a patient might access online or putting in their credentials or mobile app , um, tho that's authenticated, and essentially you could tie that to an individual, right? Because they have credentials. An unauthenticated site does not require a login and is generally accessible to the public. So, you know, and if I were just to go to any website and start browsing, that would be generally public. Um , so the bulletin provides that individually identifiable health information collected on a regulated entity site , such as, you know, covered entity . Just think of a hospital that is generally PHI, even if the individual does not have a relationship with the regulated entity. And that's what really threw , um, kind of HIPAA professionals and, and you know, stakeholders. And it's because the , according to the O-C-I-O-C-R, and this is where it's interesting, and this is a quote from the OCR and the bulletin <laugh> , that visit is indicative that the individual has received or will receive healthcare services or benefits from the covered entity. Close quote . And therefore, again, this is also a quote from the bulletin, it relates to the individual's past, present, or future health or healthcare , um, or payment for care, which, you know, could be a stretch, right? Like I visit websites because I'm a healthcare lawyer looking at clients Mm-Hmm . <affirmative> , um, for whatever reason, right? Not because I'm gonna seek care or, or I'm , or I'm trying to learn about a doctor, but that's the position that OCR took. And they further note that authenticated webpages, and this part makes sense, generally have access to PHI because you wouldn't log into a website unless you were a patient or patient representative, right ? Right .
Speaker 2:You have an account, basically. Right.
Speaker 3:Exactly. And that unauthenticated webpages generally do not, but in some cases may have access to PHI. And I think that's the most interesting kind of part of the guidance that an authentic an unauthenticated webpage could have access to PHI . So those CR explains in the guidance why, why that's the case , um, which, you know, cause providers and payers and everybody to kind of rethink, rethink, rethink their approach here. And I'm happy to get into that if you think that would be, you know , uh, helpful.
Speaker 2:Yeah, I think, well, I think it's, it's interesting what , um, so their , tell us their recommendation in the bulletin . What did they say that , um, that we cannot do?
Speaker 3:Well, they don't want, you know, uses and disclosures that are impermissible. And so what's, what's challenging about the unauthenticated web pages is mm-Hmm , <affirmative> , it's not kind of black and white, right? Like if I were to go to a hospital's website, the OCR may take the position that information that I provide, if I'm, you know, completing a form or if I am on a sensitive webpage, that that could be PHI , even if I'm not currently a patient. Um, so, you know, it further notes that una unauthenticated sites, and this is the bulletin such as sites that address specific symptoms of health conditions such as pregnancy, miscarriage, or their permit users to search for doctors or schedule appointments, even those that do not require, you know, entering credentials. That could be PHI. And I think it's because of the sensitivity of the information or where you're putting in, you know, answering information in a dropdown box , um, because it is more than header information in that case. Yeah . So that's what gives the OCR concern , um, you know, and I think that's what's kind of been troubling and challenging for, for clients, right? Like, well, is this PHI , is it not? And we haven't seen any enforcement activity yet. We just have this guidance. Um, and again, just because you're visiting an unauthenticated website, it doesn't mean that you have the intention of becoming a patient or will become a patient. Um, but you, but you may. Um, so you know what, I can tell you what I re what I've been, how I've been helping clients and you know, what, what our recommendations are. Yeah,
Speaker 2:Let's do that. Let's do that. 'cause I think that's what it is. It's always, we get, we get bulletins and we get advice , advice, and then we're like, what do we do with that? Like a, it's hard to figure it out. Number one, you've just said that it's hard to figure out is that PHI , these folks that are just visiting our website? Um, and then if it is, then what, what do we do?
Speaker 3:Yeah. It , it is challenging. Um, so I think as a, you know, as a first, as a first step, and surprisingly, a lot of clients do not have their arms around this or a lot of, you know, providers. Mm-Hmm . <affirmative> . They need to understand what tracking technologies they have, which, you know, oftentimes a marketing department or a tech, you know , a technology department, they're the ones that are launching these technologies or contracting with vendors to obtain them. Um, and legal never knows or never knew before all of this transpired. So HIPAA regulated entities need to understand what do we have and where do we have it. So I would call that kind of doing an inventory. Um , okay . And that may require a team, I mean, that could also require consultants. 'cause you may be able to figure out what you have, but you also need to really understand what they're doing. Like what is the purpose of the technology? You know, does it comply with hipaa? And what is the , um, you know, what information is being collected and used and disclosed? Is there a compliant pathway? So that really requires digging into each technology, figuring out where it's located. If it's located on a authenticated website, right? One where there's a portal login , well, you better hope that, and again, this applies to third parties . So we're not talking about if the provider has its own technology, 'cause that would still be within the provider. But if that information is going to a vendor, there should be a BAA and it also needs to fit , um, like a TPO purpose, right? Mm-Hmm . <affirmative> . So you would want to make sure that it fits within healthcare operations, because marketing in and of itself, you know, and HIPAA has a , has its own definition for that requires patient authorization. So there's an entire analysis that needs to go in. But really the first step is figuring out what you have, okay . Um , and what it's doing. And then depending on what you discover, and you know, the client may need to do a breach analysis, right? If they're collecting information on either an una uh , an authenticated page where there was no BAA or not a permissible purpose, or if they were collecting information on an unauthenticated page that's sensitive, or where there's users putting in information. I mean, that's a , there's a legal analysis involved there, but you would, you know, you would advise the client perhaps to do a breach risk assessment. Like, has there been a breach? Do we need to do notification? What's the risk? You know? So there's a lot of work to do. Um, and then just a lot of clients are, are taking them down , um, or figuring out other vendors to work with that are, that are better, that will enter into BAAs because there are some that will not. Um, so it's, it's challenging, but it's been, but it's been, you know, it's been eyeopening and it's been fun .
Speaker 2:Been fun , yeah. Yeah. And it's, and it does seem to be , uh, you have to learn a lot about it technology wise , but also just keeping up with the state laws. They seem to keep changing and that kind of stuff. And then let's talk a little bit about, I may be jumping around, but , um, enforcement, you know, we've seen , uh, some, like we said, we ha don't have an actual action yet, but we've seen enforcement and certainly some litigation going on. Do you wanna talk about that a little bit?
Speaker 3:Yeah. So I would say we haven't seen any OCR enforcement yet. I mean, we might , um, we have seen a handful of public HIPAA breach notices relating to provider use of tracking technologies. But no OCR enforcement activity has been announced yet. Okay . Um, now in July of 2023, the FTC and HHS sent joint warning letters to about 130 hospitals and telehealth providers basically saying, Hey, you know, we issued this guidance, we're warning you about the use and risks of these tracking technologies. So I think we can assume that they, these agencies are keeping their eye on it. Um, and the FTC, even though it doesn't enforce hipaa, it's looking at the use of tracking technologies, you know, with respect to non HIPAA regulated entities. 'cause this is a bigger issue than just, you know, the , the HIPAA OCR issue. Right.
Speaker 2:That's just consumer protection that FTCs . Exactly. Yeah . Yeah , that's exactly is interesting. And then I think you, you and I were talking before this, that there has , there certainly is, and I, because I don't wanna miss it, is the American , um, well, there's been plenty of class actions for sure. You mentioned that before. And then there's this American hospital , um, lawsuit. Um, so I wanted to make sure we touched on both of those. Do you wanna talk a little bit about
Speaker 3:That ? Yeah , there's been a ton of litigation. Um, you know, HIPAA regulated entities continue to deal with the litigation and the threat of it. And it's really expensive for, you know, hospitals and providers. Um, plaintiff's lawyers have been bringing these cases against them for improper use of disclosure under a range of theories. There's, as you know, there's no private cause of action under hipaa. So these theories are primarily state law driven , such as invasion of privacy, or maybe even like breach of contract, you know, failure to have an accurate privacy notice. There are all sorts of theories. Um, and I think we can only expect that trend to continue, particularly how easy it is to kind of glean what tracking technologies are on a webpage. I mean, that's just, you know, low hanging fruit for plaintiff's attorneys. Mm-Hmm . <affirmative> . Um, so in November of last year, this was really exciting. This is an exciting development. Um, the American Hospital Association, the Texas Hospital Association, and the Texas Health Resources and United Regional Healthcare System, they filed suit against the secretary of HHS and the director of the OCR , uh, because of this bulletin. Mm-Hmm . <affirmative> . And the lawsuit challenges the portion of the bulletin that suggests the use of tracking technologies on unauthenticated webpages. Again, the public ones may be subject to hipaa, it did not address, you know, the OCR R'S guidance on authenticated websites, but it did it , you know, kind of go after the unauthenticated, which I think is the part that's most, you know, that's hard to Yeah. That's troubling and , and difficult to understand in some situations. Um, so the suit also alleges that HHS exceeded its authority under HIPAA and the first amendment of the Constitution. And one of the more interesting arguments is also that it failed to follow the rulemaking process set forth in the Administrative Procedure Act. And that process requires, you know, notice and, and like comments to on rulemaking. And it , you know, involves a process. Um, and so the a HA and the co-plaintiffs argue that the bulletin condemns a new category of conduct creates a new binding norm, which, you know, everybody's trying to scramble to <laugh> comply with this guidance, right . <laugh> , which is confusing. And we, and there was no like time to really prepare that it shifts obligations under the law without observing notice and rulemaking under the act that that's the , their argument. Um, so that, that case is moving along, there's been a, discovery isn't started there , there've been motion for summary judgment that has been , um, I think that's where they are in terms of, that's on the table, so, okay . Responding to that. Um, there have been other amicus briefs filed in support of this, which is interesting. So , um, yeah, we'll, we'll just have to see how that comes out. I think it could have an impre interesting impact.
Speaker 2:I, I think so too. Yeah. We've gotta stay tuned and it's, and like you said, I'm glad that you introduced us at the beginning to the authenticated versus the unauthenticated. 'cause that's, I think that's the one that's, it's a little bit out in left field for us, right. To say I don't, we don't even know what to do about that. So <laugh> I think that's helpful.
Speaker 3:Yeah . Yeah. So I mean, we've been working with clients to try to kind of look at the unauthenticated and like, is it a sensitive page? Is it, you know, what kind of information is being collected? Is there a dropdown? Is the user entering information? Is there user driving information? Um, so there's an analysis.
Speaker 2:Yeah, for sure. Is there , uh, anything else that you can think of that we didn't cover? 'cause I wanna make sure we've , um, fully , uh, extracted your expert opinion today while we have you, Carolyn.
Speaker 3:Thank you. I don't think so. I mean, this is an exciting area to watch. I mean, one thing, you know, clients are certainly, they're learning about this and they are, you know, they wanna do what's right, but it's confusing. And one thing we've been working with clients on is like putting policies in place for the use of tracking technology so that they can roll that out internally. Like, you know, what's our policy? What's our procedure? What's the process, right? Because before, you know, as I mentioned, different departments within a , a provider may arrange for a technology vendor and legal would never know. So now we're putting in place a process that kind of, is it authenticated? Is it unauthenticated? What information's being collected? Who's gonna sign off on this and make this, you know, analysis Or
Speaker 2:That is, that's a great recommendation, I think. 'cause you're right, I think these start in , in perhaps marketing, right? Yeah. And just like, oh, we wanna make sure, you know, this is how, this is how we do our job in marketing. And then suddenly they may be unaware that there's a legal component to that. And so, you know, they wouldn't think to get legal involved or , um, even IT involved at that point. So that, that's a great idea, is just to look at pulling all those , um, departments together and thinking through ,
Speaker 3:Right . Yeah . And they really do need to work together. 'cause it understands it , you know, and marketing kind of understands the purpose if it is marketing, and again, marketing requires an authorization under hipaa. So there's an analysis that goes into that. And at the end of the day, legal needs to be involved and or the privacy officer. So yeah, that's , that's just another thing that clients, you know, are looking at.
Speaker 2:Yeah. Well this is ama you've packed a lot in a short amount of time and oh my gosh, thank you so much for talking to everybody today. This has been a great help. And , um, so everybody thank
Speaker 3:You . It's been fun, Karen. I appreciate it.
Speaker 2:Yeah , I've had a great time. So thanks to the audience, everybody for attending today. Um, we, I think Carol and I are both long-term members of the American Health Law Association. And , um, we think it provides a tremendous support for us and our practices and , um, and it's given us this opportunity to speak to everybody today. And we've, we've had a great time. So , um, so thanks again for attending and we will see you soon. Stay tuned on this.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a HLA, speaking of health law, wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law org .