Hospitals Sued for DHHS Compliance?
Class actions continue against healthcare entities that used Meta (Facebook) pixels on applications facilitating patient access to electronic health records (EHR). However, the Department of Health and Human Services (DHHS) both collected (itself) and required the collection of similar data elements to study demographic disparities in healthcare. Still, healthcare entities face legal action for adhering to DHHS initiatives.
Let’s back up. The Meta Pixel tracks website traffic and collects data on website visitors, providing analytics back to the website itself, as well as utilizing the data for third-party marketing purposes. Like retailers and media sites, healthcare providers widely used this technology, leading to claims that the Meta Pixel collected protected health information (PHI) on patients in violation of HIPAA.
In February 2023, two class-action lawsuits were filed in Louisiana against the Willis-Knighten Medical Center and LCMC Health for privacy concerns related to the Meta Pixel technology. A month later, a pediatric patient filed a similar proposed class action against the University of Louisville. And on August 3, 2023, another class action was filed against Seattle-based Overlake Medical Hospital Center for more unauthorized PHI disclosures through the Meta Pixel tool.
In a July 20, 2023 release, the Federal Trade Commission (FTC) warned hospitals and providers against using pixel technology over potential HIPAA violations. That same day, the FTC and Office of Civil Rights (OCR) within DHHS, also released a joint letter on July 20, 2023, citing hidden privacy defects within the pixel technology and threatening HIPAA violations.
DHHS’s very recent position on Meta Pixel technology is a 180-degree shift from its previous guidance. In 2021, the Office of the National Coordinator for Health Information Technology’s (ONC) released its Interoperability Standards, requiring healthcare insurers to offer and maintain a secure application interface for patients to access their claims, and EHR, providers, using DHHS’s selected HL7 Fast Healthcare Interoperability Resources (FHIR) standards.
In November 2022, DHHS proclaimed its priority to identify gaps in the availability and quality of health equity data across its programs using common data elements (such as race and disability status), collected through computerized mechanisms, to combat inequitable access to health-care for impacted demographics. DHHS further stated that collection of these data elements “will follow the same HL7 FHIR standards required under the ONC’s interoperability rule.” In other words, DHHS traced demographic data through the same API standards it imposed on its regulated entities through the 2021 Interoperability Act.
Willis-Knighten, one of the Louisiana medical centers subject to a class action, made a similar argument while seeking federal jurisdiction over the lawsuit. While the Western District of Louisiana declined to extend jurisdiction, the defense of “DHHS told me to collect this data” is likely to arise again in State court and is merit-worthy.
With the new class-actions arising, DHHS is advised to carefully review the HL7 FHIR application requirements. Government imposed regulations likely set up Willis-Knighten and the other healthcare defendants for failure given the lack of consideration for patient privacy in the rush to require patient applications.