The Next Class Action Lawsuit - Online Tracking Technologies

Provided by: Jennifer Kirschenbaum, Esq.

May 7, 2024

Question:
Jennifer,

Have you heard or seen of class actions trolling for plaintiffs for online tracking technologies? Have you seen the VillageMD lawsuit - https://www.documentcloud.org/documents/24542347-villagemd_online_tracking_lawsuit? Any advice?

Thanks,
Dr. W

Answer:
Unfortunately, yes. I have seen the class action trolls and the VillageMD suit; thank you for the reminder. The impetus - HHS recently published https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html discussing the use of online tracking technologies by HIPAA covered entities and business associates under the HIPAA Security Rule. The focus is on embedded tracking by a third party or access point where a patient may, unbeknownst to them, be disclosing personal information to a third party that is then used without consent. In these suits, the plaintiffs are alleging all sorts of damages from the breach of their protected information, and they are doing so in a class action forum, which can be "lights out" for an organization not protected by insurance, or regardless.

How do you protect against any this threat? One option - Do not allow patients to insert their information electronically to you. Second option - Make sure you incorporate technologies and vendors who are mindful and compliant with HIPAA. You must always have a proper business associate agreement in place with any vendor accessing more than incidentally your patient protected health information, which may include an IP address.... You also need a privacy policy alerting users to the tracking. A website banned allowing users to accept or reject tracking is NOT sufficient.

PHI can include information such as the user’s IP address, email address, name etc. Whether the information is classified as PHI is determined, in great part, by whether the user accessed the website for health or billing related purposes. For instance, if a high school student is writing an essay on oncological advancements, her IP address collected by the webpage is not PHI. If someone is looking for a second opinion on a cancer diagnosis, his IP address collected by the webpage is PHI.

We will continue to monitor this exposure, and we are available to discuss best practices upon request.

Ask us a question

Jennifer Kirschenbaum, Esq. Partner

Ask us your questions. We will help if we can & let you know before any charge is incurred.

Jennifer@kirschenbaumesq.com

Educational Webinars

A discussion on Market impact to practice

Preparing for PPP Forgiveness and Patient Care Impacts with Covid 19

Looking for the KK Healthcare Exchange? Click Here.

MISSED OUR RECENT WEBINARS? CLICK HERE ANYTIME!

Looking for HIPAA and compliance forms?
Click here to visit our website.

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or at (516) 747-6700 x. 302.

Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com

Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!