May 7, 2024
 
 
Question:
Jennifer,

Have you heard or seen of class actions trolling for plaintiffs for online tracking technologies?   Have you seen the VillageMD lawsuit - https://www.documentcloud.org/documents/24542347-villagemd_online_tracking_lawsuit?  Any advice?


Thanks, 
Dr. W


Answer:
Unfortunately, yes.  I have seen the class action trolls and the VillageMD suit; thank you for the reminder.  The impetus - HHS recently published 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html discussing the use of online tracking technologies by HIPAA covered entities and business associates under the HIPAA Security Rule. The focus is on embedded tracking by a third party or access point where a patient may, unbeknownst to them, be disclosing personal information to a third party that is then used without consent. In these suits, the plaintiffs are alleging all sorts of damages from the breach of their protected information, and they are doing so in a class action forum, which can be "lights out" for an organization not protected by insurance, or regardless.  

How do you protect against any this threat?   One option - Do not allow patients to insert their information electronically to you.  Second option - Make sure you incorporate technologies and vendors who are mindful and compliant with HIPAA.  You must always have a proper business associate agreement in place with any vendor accessing more than incidentally your patient protected health information, which may include an IP address.... You also need a privacy policy alerting users to the tracking. A website banned allowing users to accept or reject tracking is NOT sufficient.
 
PHI can include information such as the user’s IP address, email address, name etc. Whether the information is classified as PHI is determined, in great part, by whether the user accessed the website for health or billing related purposes. For instance, if a high school student is writing an essay on oncological advancements, her IP address collected by the webpage is not PHI. If someone is looking for a second opinion on a cancer diagnosis, his IP address collected by the webpage is PHI.
 
We will continue to monitor this exposure, and we are available to discuss best practices upon request.