Read time: 4 minutes
Managed care organizations, like all marketers, often seek ways to leverage data to improve their marketing efforts. Most companies across industries use similar technologies to gather this data online. However, commonplace technologies that used to power this data-driven marketing have come under significant attack over the past 18 months. Managed care and other health care organizations have faced increased regulatory and class action risk in connection with the use of cookies, pixels, tags, and other common tracking tools on their websites, mobile applications, and related digital services.
What are tracking tools?
Most websites use code that allows vendors of advertising and analytics services to collect information from users’ devices as they interact with websites. The code may include, for example, the use of third-party cookies, web beacons, or tracking pixels and session replay functions. The providers of these tools then process and analyze data collected via trackers for various purposes, such as providing user analytics and facilitating and targeting online advertising.
What is the risk?
In recent months, federal and state regulators and class action plaintiffs have targeted users and vendors of tracking tools. The managed care industry has not been immune.
In December 2022, The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), issued a bulletin describing potential HIPAA noncompliance arising from the use of third-party trackers. The bulletin focuses on educating HIPAA-regulated entities on whether the use of third-party trackers is an impermissible disclosure of protected health information (PHI) under HIPAA. It explains that impermissible disclosures of PHI can occur through routine tracking tools on websites made available by HIPAA-covered entities. In the event a HIPAA-regulated entity experiences an impermissible disclosure, it must analyze whether it has breach-notification obligations under HIPAA, which may lead to regulatory scrutiny and class actions.
Since the beginning of 2023, the Federal Trade Commission (FTC) has settled three separate cases alleging deceptive and unfair business practices under the FTC Act by digital health platforms based on their use of tracking tools. In addition, in the summer of 2023, HHS and FTC issued a joint letter to approximately 130 health care companies alerting them to the regulators' position about the risks that tracking tools pose to the privacy and security of consumers' and patients' health information.
- Federal and state regulators and class action plaintiffs are focused on privacy implications of third-party trackers
- An organization cannot effectively evaluate and mitigate the risk from its use of third-party trackers if it does not have an accurate picture of the scope of their use
- Practice good website and mobile application hygiene – evaluate whether each third-party tracker is providing benefit that outweighs risk
- Protect patient data and prevent invasion of privacy with notice and choice options, improved procurement, and renewed vendor diligence