AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
AdTech on Health Care Websites: Legal and Regulatory Implications
Lynn Sessions, Partner, Baker & Hostetler LLP, speaks with Jim Vint, Managing Director, Secretariat Advisors, about what the health law community needs to know about advertising technology on health care websites. They discuss what the technology is and how organizations are using it, why this is such a priority for the HHS Office for Civil Rights and other regulators, who is reviewing how organizations are using these technologies and the legal consequences that can arise from those reviews, recent OCR guidance, and steps that organizations can take to proactively mitigate risk.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
<silence>
Speaker 2:This episode of A H L A speaking of health law is brought to you by a H L A members and donors like you. For more information, visit american health law.org.
Speaker 3:Hi, everybody. My name is Lynn Sessions. I'm a partner at Baker Hot Stettler , and I lead our healthcare privacy and compliance team. I today am presenting with Jim Vent . Jim, would you introduce yourself, please?
Speaker 4:Hi, Lynn . Thanks. Yep . This is Jim Vent from Secretary Advisors. Um , we've been working with Baker on a number of the reviews that we'll talk about today.
Speaker 3:And Jim, I thought we'd start off with, you wouldn't mind giving a little primer to the lawyers on the call and the other legal folks on the call who may not be so familiar with the use of these technologies. So we'll just call it Pixel one oh one.
Speaker 4:That's a great place to start. Um, quite frankly, we could probably spend an hour alone just talking about these technologies, but for , uh, the 1 0 1 side of things , um, we're talking about technologies that have been referred to by a number of different names. Uh, they've been called pixels, tags, web bugs , uh, trackers, beacons and, and probably other, other things. There are essentially snippets of code that are placed on a website by the owner of that website , um, or a third party who might be acting on their behalf like a digital marketing firm. Uh, they can be deployed in a variety of manners , um, on a page , uh, or , uh, they can interact as a, as a user, kind of navigates through specific forms or clicks, buttons, or takes other actions across the website. Um, and if you think about the resolution of a, a TV or a monitor , uh, the reason they originally were called pixels is they're essentially made up of one of those pixels, a one by one pixel on a, on a page. Um, and the, and the code snippet represents one pixel , um, that can make up the full resolution. So , um, users don't necessarily see them. Um, they do exist there as a, as a person navigates through the website , um, and can take on a number of different functions.
Speaker 3:What do you see that they're used for, specifically by our, by our healthcare organizations?
Speaker 4:So they're used for a couple of different reasons, and it might make sense here to, to kind of talk through kinda how they work , um, and then kind of jump into what they're used for. So basically, as a user lands on a webpage, these pixels or tags, and I'm just gonna refer to them as pixels, even though they have different , um, different names. But , um, when you think about how the internet works , uh, there's basically a request to obtain some information and a response back. So I might request a specific webpage that webpage loads on my browser, and when that webpage loads these third party pixels or technologies load as well, and they essentially create an opening or a connection to the owner of that third party. Um, and so once that , uh, tag is used, it's used to really kinda track specific events. And it could be something as simple as a page view , um, so that organizations may wanna know how many users landed on a specific page. Um, they can track how users internet interact with a form, whether they fill it out or leave. And the, the biggest thing you can kind of think of these tools as doing, if you think about even just e-commerce, setting aside hospitals for a second, but for a , a, a process that everybody's aware of. If you go to a website and add something to a shopping cart and then leave without buying it , um, you might get a reminder down the road that says, you, you know, you , you still wanna buy this, and you go back in and you execute on it because businesses and organizations wanna understand if they're converting on their advertising. And so to talk a bit about what they're used for, there's nothing nefarious about these tools. Um, they can be used for things like conversion tracking, as we just mentioned. So how many people, you know, were looking for a piece of information or some , um, information on the website, saw an advertisement, clicked on it, and ultimately did something that the organization thinks is important in terms of getting its message out. So for , for tracking , um, that's one. Um, two, they're used for just really understanding how a user is interacting with your website, whether they're getting to the places you want them to get to, whether they're , uh, finding the information that they need. Um, and then in conjunction with that, they're also used for really helping to monitor whether or not your, your website is operating efficiently. So if pages don't load , um, if there are user errors, if , uh, certain pieces of of information are not loading efficiently enough and people are leaving, you wanna know that because you wanna make sure that if somebody's on your website, that they're, they're really getting everything they, they, they want. Um, and , and so from a, from a marketing perspective, they're really a lifeblood , um, of really knowing and understanding and, and realizing how best to position, you know , your message and the information that you want your, your buyers to, to see.
Speaker 3:And I can say this without question, like, really, all of our healthcare entities are using these types of technologies in some form or fashion on their websites. Have you really even come across any notable , um, healthcare entity that's not doing that?
Speaker 4:No. I mean, especially when you think about it. Um, their whole goal is to get the message out to underserved communities, to , uh, people who are looking speci for specific , uh, information around, you know, maybe , uh, certain issues loved ones are having, or neighbors friends or themselves. Um , a a the big kind of reason, and, and something that we can point to is during Covid , which seems like a lifetime ago now, these pixels were actually used to track the efficacy of marketing and outreach and providing information about covid symptoms, vaccination sites, facilities for treatment and care. Um, and just general information. As you know, everybody knew it was a very fast moving , um, time, although it probably felt slow during, but , um, you know, we saw a tremendous use , uh, and, and , um, dissemination of information , uh, and the marketing teams realizing that they were actually getting to the public that they needed to get to for this, for this information.
Speaker 3:Yeah, and I think one of the things we hear from the marketing , uh, colleagues at our healthcare clients are , is this, is that, you know, this is essentially where they're meeting the community in their marketplace, right? So this is where people go to get information about healthcare. This is where people go to get information and valuable information, right? Not just what they might read about on, in , in social media, or, you know, in, in more places that don't have as much credibility as the, as a hospital system does or some other healthcare entity does. And so , uh, what we hear back from them is, this is the place Billboards are not working anymore. Television commercials are not really where people are getting , uh, are , are finding out where to go. It's on the internet. Um, and you made a comment earlier, Jim, about kind of, this is how the internet works. What are certain types of, of, of information that gets transmitted back every time you do some type of transaction on the internet?
Speaker 4:Yeah. So , um, there , there are, it's a good, it's a good point. And it will also maybe allow me to introduce , um, another concept just to d d differentiate between , um, what we're talking about in terms of technologies and then also cookies. Um, but going back to the original question , um, certain information is always transmitted as a user executes on that request and response , uh, relationship with a web server or a website. Um, in order to understand how to render that page back to the user , um, there are certain pieces of , uh, information that need to go. One, you need to know where you're going, so an IP address has to go. And so if that's, and it , it , it's kind of like a zip code, if you will. It's a general area of where that information is going back to. And , um, it , from a technical perspective, it's probably one of the key pieces of transmissions that absolutely has to go , um, that along with a browser , uh, whether that's Safari or Chrome , um, your operating systems such as Windows , um, and a couple of other pieces of demographic information about your device, like your screen size , um, so that that information that you request can actually come back in a logical and sensical manner for the device that you're on. So , um, when you think about how a webpage will load on a Chrome browser on a laptop , um, it will differ to that of , uh, you know, an iOS device , uh, you know, using Safari. So , uh, which is a , an an Apple browser. And so the, the website needs to know how to portray the information you're requesting back to that device. Otherwise, it , either it will look scrambled or , uh, you won't be able to understand it. And so those are pieces of information that need to go. Um, I wanna go back to the, the cookies as well. Um, 'cause a lot of these technologies can leverage cookies. Uh, these are actually small text files that sit on a user's device and browser. It's really , they're really specific to that device and that browser. Um, they're used to do a number of different things , uh, for those third parties, like improving the user experience. Uh, so remembering login credentials , um, so you don't have to sign into your bank or , uh, your, your MyChart account every time. Um, they , they're used to save browser preferences , uh, you know, your time zone , language, font size , uh, and they, and they can keep track of , um, certain actions that you might be doing, again, more on the retail side than anything. Um, so, and these technologies are deployed across tens of millions of websites. A few years ago, Lynn , um, on the healthcare side of things, it was nearly impossible to find a website that wasn't running the most common pixel and tag technologies. Um, and , and even now, most government websites are required to use , uh, certain analytics platforms because the government believes, to your point, that that's where society is meeting government and information flow is on the web. Um, and so the , these, these pixels, which may , uh, transmit data to the third parties, are also able to identify and transmit those specific third party , uh, cookies along with any kind of events that, that these pixels might be tracking. So , um, it doesn't mean that they get to pick everything off of your browser, but if there is a pixel related to , um, a specific third party , and that specific third party also has cookie values on the browser, those will go , um, those will go back to that third party as well.
Speaker 3:So, Jim, what type of work are you and , and others at Secretariat doing for healthcare entities and in other industries as well in this context?
Speaker 4:Y yeah , so there, there's a few things that are happening. Um, you know, I think the healthcare industry in particular is really trying to figure out what their posture is from a technology perspective, or their, I guess their landscape is like , um, as it relates to these third parties, especially in, in light of the guidance from O C R , um, and obviously a number of articles that have been disseminated over the last 13 months. Um, so there's a lot of , uh, review and I'll call it inventory management, to ensure that tools that are running , um, to the extent they, they comply , um, you know, have the proper settings and configurations. Um, I think people are also doing a lot of review of their third parties and what access they have in terms of deploying certain technologies to their websites , um, and really giving insight into what these tools are actually doing. Um, because just the presence of them on a website doesn't mean that, you know, some of the allegations that we've seen in terms of litigation are necessarily happening. And so we're really trying to , um, and, and I don't necessarily like the phrase, find out where the rubber meets the road, but really figure out, you know, based on how a tool is deployed in the settings that it has configured, whether or not it's actually, you know, doing something that is, you know, outside of the guidance that, that especially the O C R has provided With that. Um, I know I've been doing a lot of the talking, and I certainly don't want want to , um, may maybe , maybe I can kind of , uh, turn a little bit , uh, and basically, now that we have a little bit of a baseline, and again, we could probably deep dive this for the next hour, but maybe if I could ask you a question , um, why , given what you've heard and obviously everything you've been doing, why is this such a priority for the O C R and or other regulators at this point in time?
Speaker 3:Yeah, so I think when you pegged on the , it's been roughly 13 months that we've seen a big in uptick in this activity on the healthcare side of things , um, about 13 months ago, so June of last year, there were kind of two coinciding things that happened that impacted the healthcare industry. First, the Dobbs decision came out , uh, around the same time as the, the, the, the other incident or event that occurred last June. Um , but in June of 2022, we had , uh, the Dobbs decision came down, which of course, overturned Roe v Wade , uh, and we had , um, a desire of the, the administration in Washington to protect the privacy , uh, around , uh, particular , uh, types of healthcare that was being provided in certain states and may have been more restrictive in other states. Um, and so that kind of , uh, had the government, the Office for Civil Rights in particular, issues , some guidance to entities at that point about how it is that they should be protecting , uh, women's reproductive care information. Uh , and p h I associated with that. Around that same time, just prior to the Dobbs decision coming down, there was an investigative article that came out that had looked at the top 100 hospitals , uh, in the country , uh, and essentially assessed whether or not they were using certain types of tracking technologies on their websites and , um, and, and what pixels were being used and where on their websites they were being used. And it was a bit of a expose article that came out that highlighted a number of entities. These are really good compliant entities. Many of them were our , already our clients , um, large health systems throughout the country. Uh, and they were essentially pegged for using certain technologies. These two events in conjunction with each other, set off , um, a kind of a , a storm of activity among the entities that were named in that particular article , uh, and other entities that just read it or were made aware of it and got concerned about it. Uh, and so we started working with you and others and looking at websites and saying, okay, first of all, what are the tracking technologies or other technologies, ad technologies, et cetera, that are being utilized on those websites? And what type of information was, is being transmitted to these third parties? And so in working through this, there were a couple of things that we found out was that many times , um, these technologies were being deployed by the marketing department without , uh, consultation , uh, with legal or compliance or privacy , um, or it , uh, information security to make determinations on whether or not these , um, these were secure, these were compliant, et cetera . Um, and so that allowed for an opportunity for those groups to get to work together , uh, and get a good idea of the technologies that had been deployed. The second thing, too, is we also learned that there were some kind of latent technologies, so things that had been deployed , uh, associated with a specific ad campaign that might've gone out in 2020. Jim, you mentioned , uh, with respect to the use of the websites and these technologies, and looking at the efficacy of messaging that went out around Covid , uh, you guys, like you said, it seemed like a lifetime ago, but I remember in the spring of 2020, scrambling to find whatever information I could and trying to get it from reputable sources. And of course , uh, who better, who are better sources than our healthcare systems that are on the front lines and taking care and getting the most up-to-date information about , um, about the , uh, about covid and other disease processes. And then we saw another impact on that when the vaccinations came in, that it was very important to be messaging out to the community about where they can get vaccines, again, efficacy of the vaccines , uh, dispelling false information that was being put out , uh, in other , uh, in other , uh, communications , uh, to allow for the general public to get good information about the vaccinations. So all of these, as you mentioned, are not nefarious reasons for using this, but we found out that these were perhaps deployed for a specific campaign that was going out there , um, and they were never taken off, or we even had third parties that were deploying it without the knowledge of our, of our healthcare entity . So there's a variety of different things that we uncovered, but I think most importantly is there was an awareness now of not only the importance of these technologies, but that there needed to be more than just the marketing department essentially weighing in on 'em . So it's a priority right now, we're seeing , um, because of the Dobbs decision , um, because of , um, activity that are being taken, taken , uh, from , uh, certain jurisdictions in the country relative to that type of, of information that may be available in other states , um, and a desire by the administration to really wanna protect that information. And we think that that is the overlying reason as to why , um, it has really gotten the government's attention at this point.
Speaker 4:That's great. Um, and so a a couple things that come to mind there. I think we, you touched on, you know, who's looking at how these organizations, organizations are using these technology platforms, which obviously I would say counsel , uh, forensics experts, and a number of folks internally. What, what are some of the legal con consequences either that have or potentially can arise based on , uh, the outcome of some of these reviews?
Speaker 3:Yeah, that's a great question. So , um, I think you mentioned this, really, anybody can go onto your websites and see some of the technologies that are being used and , um, and make some , uh, assumptions as to the type of data that may be sent being sent back to the third parties. And so, as a result , uh, I , since last summer , um, we are aware of approximately a hundred class action lawsuits that have been brought , filed against a , um, a variety of different healthcare entities, healthcare systems , um, pharmacies, telehealth , uh, entities, et cetera . And, and really when you think about , um, the use of these technologies on websites, and we're gonna talk a little bit about the O C R guidance that you had mentioned earlier that came out late last year. But , um, but the use of these technologies really are impacting anyone who has a website. Um, I talk daily with a new healthcare entity that may either may not have considered the use of these technologies are , are affirmatively using them , um, because that's, again, how they meet, how they meet their patients, how they meet their members, if they're a health plan , um, how they meet the general public , uh, just generally speaking. Um, and so the legal consequences around this are that in my view, the plaintiff's attorneys are , uh, they see an opportunity here. Um, they see an opportunity for , uh, class action lawsuits being filed because there's hundreds of thousands, if not millions of people who are going to, to healthcare entities, websites on a daily basis. Um, and they see law that has not been completely developed, whether it's at the state level , uh, and is continuing to evolve at the federal level. And so they see opportunities there. We've also seen , um, the Office for Civil Rights , um, not only investigate clients who have reported data breaches relative to these particular types of , uh, the use of these technologies, but also too , we've had a handful of clients that have received , uh, investigations from the office for civil rights without reporting a data breach. Um, and I say this, that the types of questions that those entities are being asked are kind of like, when was the last time you beat your wife? Because they're questions that are presuming that the entities have had a data breach. We know from talking with the O C R on , uh, in these investigations that they are going to the healthcare entities websites, they are looking at the technologies that are being deployed , um, and they are making assumptions about they're working with subject matter experts, and they're making assumptions about the type of data that's being sent to those third parties. Um, and so we are zealously defending and we're educating the O C R from our position onto why , um, at least in those instances, these are not data breaches. Um, and that these are good and useful, and as you said , um, you know, just, just , uh, very good reasons in which our entities , um, have been utilizing these types of, of, of technologies on their websites. We've also seen a few attorneys general that have come and investigated. Um, some of it may be specific to, you know, it may be a state that has less restrictions around the Dobbs informa , the Dobbs type of data, I'm sorry, the Dobbs type of , um, of , um, procedures. And therefore they're concerned about other states that might be subpoenaing information about their residents or people seeking care in those states. Um, and we've had some ags that have been , have , um, have, have talked with our clients about , um, about , about that type of information and how it is they're using the technology protecting , uh, that type of information of their patients. So we've really seen a variety of different entities that have kind of stepped into the fray on the non HIPPA side of stuff. The F T C has also been investigating , um, entities both on the healthcare front that may not be covered by HIPAA or may have , um, tech may have the use of applications and other things that are outside of hipaa , um, as well as the F T C getting into the act , uh, relative to non-healthcare entities. So there's a variety of people that have their hands in this, and I don't think it's going to end. Um, we just see a great interest from Washington and many of the states capital's , um, about this type of , um, of activity by our, our clients.
Speaker 4:Definitely. Um, one of the, I just wanna circle up real quick on one of the things you've said, especially in terms of the opportunity from the plaintiff's firms. Um, one of the questions , uh, that I love to, to ask people is describe a typical internet user and , and there is no typical internet user . So I think one of the other assumptions underlying a lot of these claims at the moment is that they , the belief that anyone who interacts with a website will have the same experience. Um, and that's certainly not true. Uh , I mean, the , the most glaring example is an analog user of the internet, if you will, who goes to find an address or a phone number will have a dramatically different experience for, than somebody who is going to have a full kind of digital experience and even do maybe an online session with your, you know, after making an appointment. And, and there's a dramatic number of , um, idiosyncrasies and anomalies that every user will have in terms of the, the browsers that they use, the devices that they join from their overall relationship with the internet , um, and their own privacy settings and, and security settings. So , um, just just to layer on the technical side of that as well, there , there's certainly some nuances , uh, which is why all of these reviews are ongoing. Um, so jumping back to the O C R guidance , um, you know, there was, there was a, a , a guidance memo that came out December 1st, 2022. There was a tremendous amount of flurry , uh, of activity on the part of healthcare providers subsequent to that. Um, there was just a , uh, reiteration from the O C R and F T C , both of whom you just mentioned , uh, more recently. So what additional activities do you anticipate as a result of, you know, o ongoing activities for the December, 2022 memo, but even, you know, the, the, the new July 20 memo that was recently released?
Speaker 3:Yeah, so the December one guidance that came down, I mean, really did get the attention of a lot of our healthcare clients at that point. Um, I mean, it just shows how seriously they take anything coming down from the O C R in the HIPAA landscape. Um, and so we did a , um, an analysis of what the O C R guidance said. Um, and it's interesting because there's a couple of things that came out of that that were, were new to us. Um, one of them is that an IP address is a unique identifier, and Jim, I may act actually ask you to comment on that , uh, shortly, but , um, we knew that an IP address , um, had been part of the 18 identifiers that the, that HIPAA has always said are part of the identifiers that you need to de-identify information. But at least up until this point, the O C R had not taken the position, the IP address was a unique identifier. Um, so that was kind of the first takeaway that we saw in there, and we felt like that's new information. The second part of it was that , um, they talked about how you could have some of these tracking technologies on your website. Um, so it , it , they didn't go so far as to say that so long as it wasn't on an authenticated an , uh, so long as it wasn't on an authenticated , uh, page, such as something that, you know, like logging into your patient portal, et cetera, would be an authenticated page. There's other ways in which our, our clients interact with their communities that may be an authenticated page. Um, but they did say that , um, if a , an individual is coming to your website, they are seeking healthcare, and therefore if they get onto a page essentially that , um, is talks about a specific disease process or treatment or something like that, then that because an IP addresses a unique identifier, then that would qualify as protected health information. And this seemed to be very much an overreach compared to certainly how all of us had been looking at the websites and how , um, and how healthcare entities have been treating their websites. Um, and so that's really where the area in which we've been working with a number of our clients to talk about, okay, are is the O C R now telling us we've got to remove everything from our websites. Because as you mentioned earlier, one of the ways in which, which the internet works is that there's an exchange of an IP address. Um, and so if in fact that is a unique identifier, then that would be protected health information relative to me going to a healthcare entity site, regardless of where they may be located and looking for information on colon cancer for my mother or for , um, you know, some other type of care for my, my , uh, my cousin or whatever it may be , um, or looking for things for myself. And so , um, that is the position that, that the , the guidance came down on. It appears that they doubled down , uh, on July the 20th with the joint , uh, notice that went to 130 entities throughout the country , um, from the F T C and the O C R that basically reiterated the concerns. And, and I think, as they put it, dangers around using these technologies on their websites. But if you don't mind commenting a little bit on the kind of uniqueness of an IP address, I think that would be really helpful for the listeners to, to get a sense of, of why we feel like this is a bit of an overreach by the O C R .
Speaker 4:Yeah, happy to. So yeah, our, our position is that, you know, the , the IP address in and of itself cannot uniquely identify a user. Um, when you think about maybe when the guidance was developed , uh, going back, you know, 10, 15, maybe 20 years, whatever, you know, it , it , it may have been a little more practical to suggest that it was more identifiable just because the number of , um, access points to the internet, which is essentially what an IP address is. Were a lot, were a lot smaller and number , um, you know, the IP address represents the connection points . That could be your router , um, it could be your corporate , uh, network, it could be Starbucks. Um, but when you're not connected to a router, the IP address is the address of a device, and those , um, IP addresses change. And so we , the best way to think about an IP address is really around , um, renting or leasing that space or that connection point for a period of time , um, given the expansion for the Internet of things , um, given the fact that every time you connect to a new network, your IP address changes , um, and that multiple devices can be attached to the same IP address, and an individual can be attached to multiple IP addresses and multiple individuals can be attached to one IP address , um, it, it's pretty much impossible for that I IP to be tracked to a specific individual. Um, and at times, even a specific device or , um, uh, or browser. Uh , because again, to the extent that there are, you know, 10 or 20 different devices connected to a router , um, it's , you don't you understand the router, you don't understand the device. Um, so if I'm at a friend's house and connect to their IP address to get to the internet to do something , um, you know, that's, that's not necessarily traceable to me. It would go to a router somewhere else. And so , um, it is not, you know, we did a test a while back where within a 20 mile radius , uh, my IP address showed me being in , uh, Minnesota , uh, outside of Chicago and New York City all at the same time. Um, we , we , you know, within a period of, of one day without, without traveling. So , um, and , and we've seen actually some other , um, cases out there in the criminal side of things where even law enforcement was not able, able to serve a subpoena for an individual because they couldn't identify where they lived in an apartment building that shared a router. So , um, you know , there, there's a lot of information out there , uh, but, but technically speaking , um, there are, there are too many nuances to an IP address to actually identify an individual. Yeah.
Speaker 3:Jim, I think there was one time you were giving me a demo and you were in your office in , um, in Chicago, and it actually showed you in the middle of Lake Michigan, and you had to, you know, assure me that you weren't sitting on a boat actually having the call with me
Speaker 4:<laugh>. Yeah, you made me go on video <laugh>. Um , no, yeah, you're right. And again, it , I , I think I mentioned it earlier, it's more of a zip code approximation , uh, of where you are. It doesn't necessarily pinpoint a specific address or , um, you know, a specific household or building. It's just a general proximity of, of where you might be from a geographic perspective.
Speaker 3:So one of the things that when we have our, when our , when we work on these with our clients and they kind of , they get educated on this , uh, both through digital marketing, sometimes we've got very sophisticated digital marketing folks that know exactly what's going on, but it is definitely an education to the lawyers and the compliance folks , uh, typically , um, at our clients. Um, and the one question they ask is , when this is all is done, okay, what should we do next? Right? Like, what should we do next? One of the things that the O C R guidance , um, mentioned was that, you know, if you, you can get a third, you can get a business associate agreement in place with these third parties to the extent that they will sign them, we need to know that there are some , uh, entities out there that won't sign business associate agreements, at least not currently. Um, I would urge you to , uh, to talk with your business relationships , uh, at those that will not sign , um, business associate agreements , um, but also too , you need to ensure that they are in fact performing business associate functions , um, for your organization. So that's kind of a threshold question. I guess the threshold question is really, do you need these technologies? And some of them we found that our clients can just take off and remove. They just don't feel like they need 'em any longer or they're not getting the benefit that they, they did at one point in time. Uh, the second thing is, to the extent you're gonna leave them on, then get a business associate agreement in place. And then thirdly, if you can't get a business associate agreement, Jim, you wanna talk a little bit about like what are some of the alternatives that are out there and some of the advice that you're, you're giving to help , uh, mitigate the risk around the use of these technologies?
Speaker 4:Yeah, that's, it's a great question. Um, and it's, you know, it's, it's an emerging space to some degree because these changes are, you know, even though it's seven months , um, as anybody here who's ever been involved in any type of data migration or system implementation, that in and of itself can take a long time, let alone the kind of legal process of contracting. And prior to that , um, identifying and demoing, you know, certain platforms that are out there, we , we have seen that there are some significant alternatives to some of the more common platforms that have been u being used, which to your point, Lynn , do not, or will not at this point sign business associate agreements. Uh, so we have seen a number of healthcare institutions evaluate some of these platforms, which provide a lot of the same analytical capabilities and, and kinda conversion tracking capabilities that we had mentioned earlier , um, under a B A A , um, as an alternative to some of the, again, some of the larger , um, analytics platforms, there's , uh, a variety of, as you would imagine, a variety of, of tools that, that can fit the bill from, you know, smaller , um, smaller kind of less costly , uh, tools to, you know, full suites of , um, tag manager and analytics platforms that, that come with a , a pretty hefty price. And so we've seen a number of organizations start to analyze and, and evaluate those , uh, for, for switching. And there's a switching cost , right? Uh, some of the, the more common ones now are, are free to use , uh, which is very , um, helpful for organizations like hospitals who don't necessarily always have a tremendous money to, to spend amount of money to spend on, on marketing tools and marketing in general. Um, so there's a switching expense , uh, especially for budgeting. Um, we've also seen, and this is actually , uh, fairly new too in, in kind of the telehealth space, we've seen some newer technologies emerge , uh, that are helping to interface with , um, user data, if you will. So some of the pieces of information that might be transferred from the user's browser that are, are of, of , um, central issue for some of these litigations , uh, whether or not those are, are being transmitted or not , uh, they will help by masking, intercepting, and masking to help anonymize those intermediaries will sign bas in a lot of instances. Um, but we're, we're cautioning people at the moment , um, really to understand how those tools are working. Um, you know, we wanna make sure that they're not giving rise to net new pieces of information being transmitted that can still maybe link back to the organization or potentially , um, a device or a browser or even, you know, potentially worse an individual. So , um, you know, configuration is key, testing is key, you know, really understanding what you're losing by abandoning, you know, what's been working so far. Um, you know, what's your wish wishlist of seven to 10 , um, marketing needs , uh, from, from what you're currently viewing and , and, and leveraging and making sure those are available in that tool. And then really making sure that the data transmissions to any potential third parties as a result of those tools are not, are not , uh, in violation of the O C R guidance. So again, it's emerging , um, it , it is complex. Every one of these technologies is fairly different in terms of their baseline functionality and or advanced features. And so really understanding what's going on similarly to kind of the underlying data transmissions that occur beyond just seeing that there's a specific pixel or tag currently , uh, is really the , the primary focal point to make sure we're not, you know, robbing Peter to pay Paul, I still in the same hot water here in , in terms of just switching platforms. And so that's, that's what we're really stepping in on the technology side to help people really understand, you know, the , the, the use of these tools, making sure that they, in conjunction with your advice can comply with the O C R guidance and that if there is any risk there, that we understand what it is and how to mitigate it.
Speaker 3:And I would just add onto that, I, I think one of the main things that we're telling our clients is there's gotta be some type of governance process in place, right? It's gotta involve not just marketing and any outside parties y'all are using for marketing, but also , um, it's gotta in involve legal, it's gotta involve privacy compliance, it's gotta involve information security. One of the things that also came out of the O C R guidance was that you should be conducting security risk analysis around the use of these technologies. And that's something in, in our O C R investigations that we're working on with our clients , um, that the O C R is asking, show us where you consider these technologies in your risk analysis. So it's in their , uh, it's in their belief that this is something that should have been ongoing even before now. Um, and so all the more important to ensure that you've got at least that , that group of people at the table from a governance perspective.
Speaker 4:Yeah, Lynn , that it brings up a a a good point too because one of the, I mean that the allegation that it hadn't been happening or, or wasn't happening in its entirety, I think it's important for everybody on this, on this podcast to kind of think through how rapid technology changes on a month to month , quarter to quarter , year to year basis. Um, and since these are tools that are deployed potentially controlled by third parties , um, you know, historically we've seen lots of changes happen where they may not have been known to the third party to, to the organizations using them. Um, the , the biggest and probably the most egregious example is, is , uh, an overnight integration of a platform which had a default of session recording, which is basically recording, you know, what a user's doing on an , on , on a website, how they're navigating if they're filling out forms. And it was unbeknownst to a lot of the organizations that was using that tool, and it was basically a technology push. And so really understanding, you know, what's happening, keeping abreast of the market in terms of integrations, mergers , um, acquisitions is gonna be critical because while you might have a great governance program in place now if this technology changes, you need to adapt pretty quickly as well. And so that's something we're also, to your point, adding on the governance side of things to make sure that website technologies are , um, a lot more top of mind in terms of what the industry is doing , um, so that organizations can adapt , um, as those changes occur.
Speaker 3:And maybe that should be the first agenda item for the governance team is what changes, if any, have taken place since the last time we met.
Speaker 4:Exactly. Exactly. Um, so Lynn , maybe , uh, redirect back to you here too. Uh , are you, I mean, I think we've touched on this a little bit , um, but you know, you still see companies using ad tech ?
Speaker 3:Yeah, we do. We and we certainly, the marketing folks are, tell me, I jokingly say that I've got voodoo dolls. They've got voodoo dolls of me all over the country where I've told marketing they need to <laugh> need to scroll back on the use of these technologies because they say to me, you are blasting me back into the stone age. Um, as far as being able to, to , uh, to again, meet their patients in the community, in the marketplace. Um, but yeah, we do see them , uh, using technologies. They are looking for , um, alternatives that they, that we believe are in compliance with the O C R guidance. Um, they are , uh, urging and entering into or renewing business associate agreements , uh, to address these issues where they may not have already been in place. Um, and they've got a better insight as to really kinda the use of these technologies and the type of information that's being , uh, potentially transmitted. So I think it's been, you know, you hate to see these types of things cause education or create education internally. It's not like our clients don't already have enough work to do <laugh> . Um, but um, but it has definitely created awareness , um, and looking at these technologies. But I, I don't see the marketing people completely saying , um, we can , we're not gonna use any of these, right? Like they're looking within the guidance , um, that the O C R has provided. Um, and, and seeing what is available in the marketplace for them so that they can accomplish what they do. Are, are you seeing anything different?
Speaker 4:No, I, I I think you're, you're spot on. I think we've seen this whole concept of thoughtful use , uh, really take center stage here now. Not that it wasn't thoughtful historically, but um, you know, there was no perceived risk there. I think there's, to your point, a, a , a , um, increased knowledge now by marketing and compliance and legal around, you know , how the internet works. Um, and, and I think it security, you know, is, is staying more involved and maybe adapting a little bit. I mean, their , their goal is typically protect the organization, you know, from inbound risk and inside bad actors. I think we've seen a lot more IT security folks take an interest in this one because they get the concept of, you know, the , these technology transformations , um, a lot more 'cause they live it day to day , um, and really looking at kind of data, ex filtration, inadvertent data, ex filtration as a more serious agenda item for their ongoing reviews and compliance. And so I think to your point, we've seen a much more collaborative , um, cross-functional team really kinda take the reins on making sure , um, you know, they've got, they've got full view on, on everything they're using on their website. So
Speaker 3:One of the things we've touched on a little bit about, you know, how anyone can essentially go to a website and see certain things that are going on, but , um, can you talk a little bit, I mean, this has been fascinating to me as a lawyer, talk a little bit about, you know, how you test what's actually happening with the use of these tools and, and is it easy to do that? Yeah,
Speaker 4:That's a great question. So it , I think it's very easy to see what tools are running. There's a variety of things you can use on each browser, even if you know where to click, that allows you to see kind of the development side, and it will show you if there's specific pieces of JavaScript code or the code for these third party tools running or not. Um, and you can get a pretty good kind of very 50,000 foot view of maybe what's there. Um, it really understanding what's happening takes a little bit more work. Um, and there are a few tools out there that, that we use, that we've seen plaintiff's experts use. I'm sure that the government's using , um, both at the O C R and F T C . Um, but what it does is if you want to interact with the website, you can run this tool. Um, you do not need to have any special access to the website, which is why everybody can kind of see what's happening from a government perspective or not, at least without an authentic, you know, on the unauthenticated pages. So before you have to put in any credentials. Um, and really what it does is it, it, it records what you do, what pages you go to , um, and then any potential third party transmissions that might occur as a result of what might exist on a given page. Uh, keeping in mind that every page may not have the same set of technology deployed. There could be different configurations. Um, obviously we , you can look at , um, things with different browser settings or, or security settings. And so there's again, a number of nuances, but , um, those transmissions can carry what's called a payload , um, which really is just the set of data that might be being transmitted, right? Whether you're looking to look at a page view, what page the user is on, if there are any cookie value sent. And we can unpack all of that information and really understand, you know, is there, is there information there that's concerning or, or is it just really anonymous identifiers that allow a , a , an organization to count the number of users that hit a , a webpage or the number of browsers that hit a webpage. Um, and so that's really where the analysis of this happens. Just because the technology is resting on your website doesn't necessarily mean it's doing everything that might be being alleged or that might be concerning to the O C R. Um, and so that, that's really where the assessment's happening. Um, so it's, it's easy to see what's running. It's a little more work to understand what's actually happening versus what's actually just , just deployed.
Speaker 3:And I can just, I can tell you, Jim, I mean the, the reports that we get from, from your team have been critical for us to be able to , um, not only do a risk assessment under hipaa, but also to help educate our clients, both the marketing team and the legal compliance IT team on really what it is that's truly going on here. So it's just been , uh, a godsend as far as us being able to provide the legal advice to, to the healthcare entities here. So thank you for all of that.
Speaker 4:Well, thank you. Thank you for that.
Speaker 3:So I , I guess one before we close, just kind of what are your final takeaways that you'd like to, to tell the listeners?
Speaker 4:I , I think, you know, this is, this is not necessarily a , um, a , a spike here , uh, which will , which will go away. I think maintaining purview or or review of these tools periodically will be important. Um, I think it's a , you know, working with , uh, a , a team like Lynn , uh, in order to, you know, continuously assess from a legal perspective as the regulations change will be critical. Um, and just really making sure that you have that ongoing understanding of, of what you're using, how it's configured and where it sits . And , and quite frankly, even helping to manage your third parties better , um, and making sure that they're not necessarily accountable per se, but certainly have, you know, your authority , um, or your review or sign off before anything is deployed to your websites.
Speaker 3:And Jim, I would just add on to that and just echo what you said, but if you've not already looked at your websites, there is a very high chance that your websites are utilizing some of these technologies. So I would encourage you to talk with your marketing team , um, and , uh, and start to assess the use of these technologies on your websites. And , um, and there's a lot of guidance that's out there, and , um, and I think that if you've not already done this, it's gonna be critical to your , uh, your HIPAA compliance going forward. Great . So thanks Jim. Uh , great talking to you today. And likewise, we'll close out . Thanks everybody. Yeah .
Speaker 4:Thanks for listening.
Speaker 3:Thank you for listening.
Speaker 2:If you enjoyed this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.