WHAT YOU NEED TO KNOW IN A MINUTE OR LESS
The use of pixel technologies on websites and mobile apps in the health care field has garnered considerable attention from regulators and the plaintiffs’ class action bar. Regulators continue to focus on the extent to which such technologies can be deployed consistent with HIPAA and Federal Trade Commission (FTC) guardrails. Although HIPAA does not provide for a private right of action, scores of putative class complaints have been filed, challenging the use of pixel technology on websites and mobile apps sponsored by providers and other companies in the health care arena.
In a minute or less, we provide an update on recent developments in this area, including key takeaways from the latest litigation and regulatory events.
Litigation and Regulatory Overview
In a bulletin issued December 2022, the Office for Civil Rights (OCR) cautioned health care providers that their use of tracking pixel tools on websites and mobile apps may violate HIPAA by improperly disclosing site users’ protected health information (PHI) to the third parties that furnish such technologies.1 The OCR bulletin was soon followed by multiple FTC enforcement actions against digital health companies that deployed such tools on websites and mobile apps.2
Class action litigation also ensued, with the lawsuits generally proceeding on two separate tracks: (1) consolidated class action litigation against the provider of the pixel tools, including Meta; and (2) separate lawsuits against hospitals and health care providers that allegedly deployed these technologies on their websites or patient-facing apps. In recent months, the scope of the putative class action lawsuits has expanded, with claims asserted against telehealth companies and other participants in the digital health arena.
Regulatory attention on this issue has continued in recent months. In May 2023, the American Hospital Association requested that OCR suspend or amend the December 2022 bulletin. The AHA noted that the technologies at issue allow health systems to analyze demand for particular services and to use social media to reach underrepresented populations with credible health information.
OCR did not suspend or amend its December 2022 bulletin, however, and instead sent a joint letter with the FTC in July 2023 to 130 health care providers, cautioning against the use of such tools, including the Meta Pixel.3 The joint letter reminded HIPAA-regulated entities of their obligations to comply with HIPAA when using these technologies, and further reminded entities not regulated by HIPAA that disclosures of personal health information without consent may violate the FTC Act and trigger the FTC’s Health Breach Notification Rule.
The FTC followed up earlier this month with its own guidance, stating in a September 2023 bulletin that HIPAA-regulated entities that use or disclose PHI are subject not only to HIPAA, but also to the FTC Act’s general prohibitions against unfair or deceptive practices.4 The FTC emphasized HIPAA’s authorization requirements for the use or disclosure of PHI for marketing purposes and highlighted several specific requirements, such as using plain language and describing the specific purpose of the requested use or disclosure.
Litigation against the providers remains in its early stages, as defendants have moved to dismiss the cases against them, and to sever those cases from claims against the pixel tool providers. Decisions to date have generally narrowed the claims asserted against the provider defendants, although plaintiffs have been granted leave to amend in some instances.
Against this backdrop, a class settlement was reached in consolidated litigation against one provider, with the court granting preliminary settlement approval in August 2023. Notably, the class settlement agreement does not outright prohibit defendants’ continued use of pixel technologies, but rather expressly permits such use, consistent with OCR guidance or as otherwise permitted under HIPAA.5
As for the consolidated litigation against Meta, after denying plaintiffs’ motion for preliminary injunction in December 2022, the court granted in part and denied in part Meta’s motion to dismiss earlier this month. Consistent with other recent decisions in this area, the court has employed a presumption that online communications regarding health issues are confidential under California’s wiretapping statute—effectively expanding the scope of the statute, as compared to prior decisions holding that such online communications are not generally considered confidential.
As for the key question of whether health care providers consented to the transmission of data to Meta by deploying the Pixel on their websites, the court held the answer could not be resolved on the pleadings. It would instead depend “on what Meta disclosed to the providers, how it described and trained health care providers on the Pixel, and how the health care providers understood the Pixel worked and the information that then could or would be collected by Meta.”6 An amended complaint will be filed in the coming weeks.
To date, neither the FTC nor OCR has outright banned the use of tracking pixel tools by HIPAA-regulated entities. Even so, their recent public statements confirm that such technologies will be subject to continued agency scrutiny under HIPAA (where applicable), as well as the FTC Act’s prohibitions against unfair and deceptive conduct.
The early litigation outcomes present similar lessons, in that an agreement to refrain from using pixel technology may not be required to resolve litigation, either on a class-wide or individual basis. Even so, health care companies defending such lawsuits may face headwinds, to the extent that developments at the regulatory level—and the litigation against Meta—inform the judicial reaction to plaintiffs’ claims.
1 U.S. Dept. of Health and Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, December 1, 2022
2 See FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising, February 1, 2023; FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising, March 2, 2023; Ovulation Tracking App Premom Will be Barred from Sharing Health Data for Advertising Under Proposed FTC Order
3 Federal Trade Commission, FTC and HHS Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies, July 20, 2023
4 Federal Trade Commission, Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule, September 2023
5 Order on Preliminary Approval of Class Action Settlement, In re Advocate Aurora Health Pixel Litig., No. 2:22-cv-1253-JPS (E.D. Wisc. Aug. 21, 2023) (ECF No. 36)
6 Order on Meta’s Motion to Dismiss, In re Meta Pixel Healthcare Litig., No. 3:22-cv-03580-WHO (N.D. Cal. Sep. 7, 2023) (ECF No. 316)