Online tracking tools such as pixels are moving to the forefront of the debate about healthcare policy.

Last month, the American Hospital Association and several allies in Texas sued the U.S. Health and Human Services Office for Civil Rights seeking to block enforcement of a December 2022 guidance that limits use of pixels on websites and mobile apps by HIPAA-covered entities and business associates.

In September, Advocate Aurora Health agreed to pay more than $12.2 million to settle a class-action suit over a pixel-related data breach. A number of other similar class actions against health systems and vendors are pending.

Betsy Hodge, partner in the healthcare practice of Akerman, a national law firm, advises clients on preventing breaches of healthcare information and on compliance with relevant federal and state healthcare privacy laws. She spoke with Healthcare IT News about privacy and security issues that pixels have raised and how healthcare organizations can safely and ethically implement tracking tools.

Q. What are pixels and what do they do?

A. Pixels are online tracking tools embedded in websites, mobile apps and emails as tiny, transparent images containing snippets of code that sends information back to a server that hosts tracking software. They capture data points such as IP addresses, browser types, operating systems and screen resolution. They can also be used for targeting of advertising. You wouldn’t normally know that they’re there. They run in the background.

Q. How do pixels differ from cookies?

A. Pixel trackers and cookies often work together to send information back to the tracking technology company about the user and how the user interacts with the site. Pixels reside on websites, while cookies get uploaded to the user’s computer or phone. However, cookies can be disabled [by users]. Pixels you really can’t disable very easily.

Q. What are some of the specific concerns about pixels and health data?

A. There is a ton of health data out there that is not generated or held by organizations that are subject to HIPAA, including health app developers. Now, the Federal Trade Commission has stepped in to regulate those health apps that are not subject to HIPAA, because healthcare information is particularly sensitive and can reveal a lot about an individual.

There are certain categories of health information that historically have been considered highly sensitive, such as mental health, substance use disorders, and sexually transmitted diseases. Now, in the wake of the Dobbs decision [the 2022 Supreme Court ruling that overturned Roe v. Wade], reproductive health information is considered very sensitive, given some of the [anti-abortion] laws that have been passed in certain states. Healthcare providers are treating that with even greater sensitivity and consideration.

The concern is that to the extent health information is acquired by these pixels and then shared with third-party tracking-technology tracking companies, that may be an impermissible disclosure of that information. The concern is how that third-party tracking company is using that health information. Are they able to identify it back to a person, and does that individual know that that information has been shared with a third party? Impermissible disclosure of such information can have serious consequences.

Q. What kinds of consequences are you seeing?

A. The Federal Trade Commission has been very active in this space with respect to health apps and other health companies that are not subject to HIPAA, and recently have entered into a number of consent orders or settlement agreements with companies over their impermissible disclosures of health information, including use of tracking technology. I’m thinking about BetterHelp and GoodRx.

We’re also seeing a number of class-action lawsuits being brought against healthcare systems surrounding their alleged use of tracking technologies and impermissibly sharing data with the tracking-technology companies.

Q. How should healthcare organizations and patients protect themselves?

A. From the organization side, I think the first step is to confirm whether and how you are using tracking technologies. A lot of times, it may be the marketing department that wants to use the tracking technologies because they want to get data on what web pages are more effective than others or what advertising gets a better return — legitimate business purposes. But they may not be thinking about the privacy with respect to personal health information. So, first understand whether you are using these technologies and how you are using them.

Educate your employees about the use of these technologies and how they may violate HIPAA or the FTC Act, or even state laws regarding sharing of personal health information, including educating your marketing team or whatever department is responsible for implementing the tracking technologies. Then, also understand what data is being collected by those tracking technologies and with whom that data is shared.

Some healthcare-related entities develop their own tracking technologies in-house and use their own tools. In that scenario, you’re not as worried about an impermissible disclosure because everything is in-house. But not every organization has the capability to do that.

Organizations should also figure out what consents or authorizations they have from individuals if the health information is being shared or disclosed to a third-party tracking-technology vendor, and then assess whether their practices regarding sharing or disclosing data via tracking technology complies with HIPAA, the FTC Act, the FTC Health Breach Notification Rule or any applicable state laws, then figure out if you need to adjust how you are using tracking technologies to minimize the sharing or disclosure of health information to third parties.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.