By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Privacy and security issues involving tracking technology in healthcare are not going away any time soon. In case memories got a little bit foggy over the holiday and end of year, go back to an October 2023 post I wrote called Shading the Gray for Tracking. That post provided an overview of how tracking technology became a popular topic of discussion, the response from regulators, and some legal actions that were taken.
A State Enters the Picture
The latest volley in the tracking technology saga has now been sent up by the New York Attorney General. Specifically, the New York AG and New York Presbyterian (NYP), which is a large academic medical center system in New York, settled allegations about privacy violations stemming from NYP’s use of tracking tools. Since the New York AG is not the HHS Office for Civil Rights, the Assurance of Discontinuance with NYP gets into a lot more detail about the conduct underlying the settlement.
Without further ado then, here are some of the key findings highlighted by the New York AG:
- NYP’s website consisted of various pages, some of which were available to the general public for information purposes and others, namely the patient portal, that required a login.
- Tracking tools from a variety of sources were deployed on NYP’s website across a six year period. The tracking tools were primarily used for marketing purposes.
- Tracking tools were from at least the following list: Bing, DoubleClick, Meta/Facebook, Google, iHeartMedia, TikTok, The Trade Desk, and Twitter.
- In a footnote, it was clarified that the tracking tools were not deployed in the patient portal.
- Each time a tracker was triggered, information was sent about the user and the user’s interactions with NYP’s website to the applicable developer of the tracker. Each developer may have received different information, but the scope potentially included a user’s IP address, what event triggered the tracker, unique information from cookies stored on a user’s device, first and last name, email address, physical address, and gender information.
- Health information may also have been included, such as search words or information from a link about scheduling an appointment.
- Information collected from Meta, Google, and The Trade Desk tracking tools was used to serve customized ads to targeted users. The information was also used to categorize users into audiences defined by NYP, which could then be used to target other individuals with similar characteristics.
- NYP did not have a business associate agreement in place with any of the developers that provided the tracking tools.
- NYP did not have a policy addressing the use of tracking tools. NYP also did not vet any of the tracking tool vendors for compliance or violations of applicable policies.
- NYP submitted a breach notification to the HHS Office for Civil Rights stemming from the use of the tracking tools on March 20, 2023.
There were some other facts identified in the Assurance of Discontinuance, but the facts not summarized aren’t necessarily material. That being said, there are some key pieces to pick out. One key fact is that the New York AG specifically called out the presence of tracking tools in the patient portal. Putting the tracking tool into a secure area creates particular concerns about the exposure of information.
Another interesting fact was the New York AG calling out the areas of NYP’s website where the tracking tools were deployed. The tracking tools were placed on public areas of the website. The New York AG states that the tracking tools were in places where individuals could learn about NYP’s general services, research about diseases and conditions, as well as search for clinicians.
The footnote about the lack of tracking tools in the patient portal is also interesting. That means the tracking tools were not behind a login where arguably it is known that an individual is actually a patient. The approach of placing that clarification in a footnote could also speak to the New York AG’s approach and trying to focus attention on the headline issue as opposed to the nuance. All of these issues about the areas of the website where tracking tools were deployed go to the concerns raised by the American Hospital Association about the scope and aim of the guidance produced by the HHS Office for Civil Rights.
So what did the New York AG do? First, a financial penalty of $300,000 was imposed. Arguably for a system as big as NYP that is not a material amount of money. Some of the actions the New York AG required to be taken will be potentially more impactful though.
Not surprisingly, NYP committed to complying with applicable New York laws addressing protection of the privacy, security, and confidentiality of protected health information. In parallel NYP also needs to comply with HIPAA. All of that compliance should have been occurring anyway (and suspect NYP would argue that compliance was happening). NYP also needs to obtain an independent assessment of its compliance activities, which is also a standard outcome when settling a matter.
The more amorphous requirement included with the settlement is requiring NYP to reach out to third parties that allegedly improperly received protected health information. NYP is directed to instruct that each third party delete any protected health information that it received and provide written confirmation of such deletion. That all sounds great, but who will audit whether the deletion actually occurred and who would or could enforce any failure to delete the information? As such, the requirement looks good on paper, but is less certain in reality.
Connection to Bigger Picture
The settlement between NYP and the New York AG continues the ongoing attention to the intersection of tracking technology and healthcare. That intersection is not necessarily a negative, but utilization of such technology does need to occur on an informed and considerate basis. Throwing tools into live environments without understanding how they operate or what regulatory quandaries that could arise is a recipe for trouble. From that perspective, the settlement just reinforces the need to think through an action before it occurs.
Additionally, the relatively small amount of the settlement and the compliance activities agreed to could reasonably be interpreted as a nuisance settlement by NYP. As noted, none of the compliance activities are outside of what should be occurring without government intervention and the payment is not outrageous. Given the high profile nature of the issue though and the likely aggression of an attorney general, defending a case through the full litigation process would probably have been much more expensive without a clear assurance of a favorable outcome. When viewed through that lens, a settlement makes more sense.
However, the settlement does nothing to help clarify from a strictly legal perspective whether actual wrongdoing occurred and whether the Office for Civil Rights went too far with its guidance. Those points should still be further explored. What is the correct venue to do so though? Engagement with the Office for Civil Rights and fostering honest dialogue between the regulators and players in the industry makes the most sense. Trying to hash out issues through competing articles or press should not be expected to meaningfully move the needle. Sitting down at a table with an intent to improve privacy and security for all would do it and that could be a reasonable possibility.
Ultimately, no one should expect this issue to go away any time soon. Trying to start the year optimistically though, there is a way to approach the issue of tracking tools in a way that sets a clearer path forward for everyone.
This article was originally published on The Pulse blog and is republished here with permission.