MedCity Influencers

The Rising Stakes of Healthcare Data Privacy in 2024: The Need for Practical Guidance

Where we’ve been, where we’re going, and how healthcare organizations can protect themselves from privacy risks caused by the Meta pixel and other third-party trackers

Data privacy became a significant issue in the healthcare sector in 2023. Many lawsuits were filed, fines and regulations were imposed, and some healthcare websites had to report breaches. Regulatory bodies like The Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) issued warnings to multiple healthcare organizations that third parties may be unlawfully collecting health data on their websites. 

The focus on data privacy has only intensified in 2024, with new laws adding to the patchwork of regulations already in place. This article explores where we’ve been, where we’re going, and how healthcare organizations can protect themselves from privacy risks caused by the Meta pixel and other third-party trackers.

Review of 2023 – Regulatory actions and lawsuits in healthcare

2023 kicked off with the FTC’s fine to GoodRx for $1.5 million in February. The issue at hand is one that so many healthcare companies have since learned firsthand: GoodRx was sharing personal health information with Meta, Google, and other third parties without the required consumer disclosure and consent from their website visitors. As we have now seen in hundreds of cases, websites usually are not intentionally sharing this data with third parties, but avoiding this sharing on a modern website can be harder than it seems.

Similarly, Betterhelp faced a $7.8 million fine the following month. In July, a joint letter from the FTC and HHS warned 120 hospitals and telehealth systems about using the Meta Pixel, potentially sharing personal health information, and how that could be considered a HIPAA violation. The FTC warned that using third-party pixels could potentially breach the FTC Act, HIPAA Privacy, Security, and Breach Notification Rules, as well as various state and federal laws. 2023 also shed light on the viability of Meta pixel lawsuits, with many hospitals settling lawsuits, including Advocate Aurora Hospital for $12.25 million in August. While the focus on healthcare data was clear, the overall solution was less so, as many healthcare and retails sites came to learn.  

These enforcement actions are catching up to the current state of data sharing that has typically been BAU when building websites. It’s not so much that a company wants to share your data or has ill intentions. Third parties use the data they receive to offer companies the opportunity to target ads or custom content to consumers. That’s where things get sticky with healthcare and other sensitive data.

Here’s the scenario we all want to avoid. When visiting your hospital’s website to check your appointment, you decide to search for various medical conditions for you or a loved one. That information is shared with other trackers, and in turn other trackers and data aggregators, and often ends up with data brokers. The data is then used as criteria for whether or not you see ads for, let’s say, cancer treatment on other websites across the internet. This can lead to some embarrassing moments if you’re screen sharing at work and happen to open up a search bar (think ad for addiction rehab).  

The issue gets considerably more serious when precise location tracking is used and shared. Consider this happening when searching for sensitive conditions like reproductive health care, addiction or mental health treatments, etc. Isn’t this the privacy HIPAA promised to protect?  

2024 – Current privacy landscape & privacy predictions

As we move into 2024, the focus on healthcare continues. Currently, 16 state privacy laws have been signed, with five states (California, Colorado, Virginia, Connecticut, and Utah) already enacted. Additionally, two healthcare-specific laws, one in Nevada and one in Washington, became effective on March 31, 2024. Three more states (Tennessee, Florida, and Oregon) will enact laws on July 31, 2024 followed by Montana on October 1, 2024. With states taking the lead, companies face a complex regulatory landscape, navigating multiple state-specific regulations.

On April 5th, two key members of Congress proposed a draft bipartisan, bicameral federal privacy bill known as the American Privacy Rights Act. Even if this bill is not passed, it shows the urgency and popularity of regulating privacy.

The Washington My Health My Data Act (MHMDA) is particularly noteworthy for several reasons: 

  • It broadens the definition of consumer health data to include various personal information linked to a consumer, encompassing medical records, interventions, reproductive health, biometrics, and inferences from non-health data like online browsing histories.
  • MHMDA mandates clear, affirmative, informed, and unambiguous opt-in consent for data collection, sharing, and sale, setting a high bar for valid consent.
  • The law allows consumers to sue organizations for violating consent and data handling requirements, enhancing enforcement and potentially broadening the law’s interpretation. And with one of the first allowed “private rights of action”, individuals can now initiate lawsuits.

This law marks a significant change in how companies must manage sensitive health data, extending beyond the current HIPAA regulations. It addresses health data collected and shared through tracking tools like the Meta pixel and others. We anticipate more lawsuits and expect more states to enact similar laws in 2024.

Challenges and tools for compliance

While regulations are being passed with increasing frequency, the lack of practical guidance on how to comply remains. Other things that make compliance challenging is the complexity and dynamic nature of the web and the fact that the existing tools that address compliance actually fall short in many instances.

Websites evolve daily, so do trackers on them, but consent tools often struggle to keep up with the daily discovery of new trackers. When it comes to implementing consent tools, there’s often a perception that simply employing a consent management tool equates to automatic compliance. This is NOT the case. Consent tools require a significant amount of manual configuration during initial setup. Additionally, they need manual oversight and updates to remain compliant with the frequent changes to trackers on websites. Other problems with the setup are that they’re often missing from certain pages and don’t pick up different types of data collection mechanisms like pixels and fingerprinters that collect data, meaning your company might not have proper consent.

In summary, most companies want to do right, but the rules are unclear, and the tools often don’t work as they should.

Staying ahead: Protection strategies

Effort and intent to abide by privacy regulations go a long way. To safeguard against unauthorized data collection, companies should:

  • Gain visibility and control over all third parties on their websites and apps. Implement real-time scanning and blocking tools to inform you of known and unexpected third parties.
  • Know the scope of your data sharing to ensure tools are in place to limit the scope and use of data with all third parties receiving data. Even if a contract is in place, you still want to monitor their data collections practices.
  • Scan often to reliably manage the risk of new trackers and tags being added. Because a third party can suddenly permit another third party to collect data on your sites, the scope of third parties can be constantly changing.  
  • Obtain explicit user consent to ensure ongoing management and compliance with evolving regulations. They should also regularly audit consent tools to ensure they function properly, gathering consent for all sources of data collection and on all pages.

Regular data audits, training teams on privacy practices, and fostering collaboration between IT and legal departments are crucial. With dynamic technological changes, vigilant monitoring is essential to avoid unintended consequences.

Organizations must prioritize transparency, limit data collection, block unknown third parties, and establish clear processes for navigating the regulatory landscape. It is also crucial to embrace data minimization, implement robust security measures, foster a privacy-first culture, and adapt to ongoing changes.

Photo: LeoWolfert, Getty Images

As CEO & Founder of LOKKER, Ian Cohen is dedicated to providing solutions that empower companies to take control of their privacy obligations. Before founding LOKKER in 2021, Cohen formerly served as CEO for Credit.com, and CPO for Experian, where he focused on consumer-permissioned data.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Topics