As a provider, a question worth asking yourself these days is this: what degree of risk is there that you might have something on your website that could lead to a multi-million-dollar class-action lawsuit and a determination by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that you violated the Health Insurance Portability and Accountability Act (HIPAA)?
As anyone who has seen the pop-up banners on many websites over the past few years knows, websites often use “cookies,” small packets of data, to track activities on the site. Sometimes, these cookies also share information with third parties.
Social media and online ad companies provide some of the most common cookies and other tracking tools to website owners. “Meta Pixel,” provided by Meta – Facebook’s parent company – and Google Analytics are among the most ubiquitous. But nearly every social media company, such as LinkedIn, Snapchat, TikTok, Twitter-slash-X, offers something.
These cookies are often used to figure out how effective advertising campaigns and websites are at driving people to sites and then prompting them to take certain actions, such as buying a product – or, potentially, making an appointment with a doctor.
In the process, these tools often send information back to a third party, such as Meta or Google.
And here’s where OCR and some plaintiffs think there might be a problem.
In the past year, dozens of class-action lawsuits have been filed against healthcare entities because of their websites’ use of Meta Pixel and other tools. We have four in federal court just here in Minnesota, where I am.
So far, these lawsuits have mostly targeted hospital systems. But they are starting to target smaller entities. For example, one was recently filed against a small clinic in Florida.
The central claim is that healthcare entities cannot share information people provide on their websites. Tracking technologies do that.
So, what’s the risk?
An older, similar case settled for $18.4 million.
One of the newer cases settled about a month ago for more than $12 million.
But on the other hand, federal courts have also dismissed (or mostly dismissed) several cases in the last few months.
Because these lawsuits are so new, it’s hard to say what the risk will ultimately be.
Unfortunately, the risk is not just a lawsuit. OCR issued guidance in December 2022 related to these tools. It took the position that many practices and uses of tracking technologies are barred by HIPAA’s Privacy Rule. It reminded readers that civil penalties may apply if the use violates HIPAA. Fortunately, it also gave some examples of where HIPAA does not apply.
If David Glaser were here, he would remind us that guidance is only guidance. It is not the law.
And one federal judge recently ruled that OCR’s interpretation, and I quote, “goes well beyond the meaning of what the statute can bear.”
So, what can you do to reduce your risk?
Start by evaluating:
Ultimately, it is tough to say what the full risk is. Situations vary, and it may be fact-sensitive. And all this action regarding healthcare cookies is still new and changing.
So, while I’m not sure if it’s because my 3-year-old just discovered the glories of Sesame Street, or because I spend a lot of time thinking about cookies on my clients’ websites, either way, the Cookie Monster’s song “C is for Cookie” has been stuck in my head recently.
Cookie Monster sings, “C is for Cookie, that’s good enough for me.”
Cookie Monster is right:
C is for Cookie, and that might be good enough for Cookie Monster.
But C is also for “Class Action Lawsuit.”
Or a “Complaint” filed with the Office for Civil Rights.
Go get yourself a cookie to eat, and then check in on your website’s cookies.
Hospitals across the United States face mounting financial strain from Medicaid underpayments, but red states – those with Republican-majority legislatures and governors – stand to
The shift from fee-for-service to value-based care (VBC) is reshaping how healthcare organizations are reimbursed and evaluated. In this new environment, success hinges not only
Please log in to your account to comment on this article.
Only ICD10monitor delivers what you need: updates on must-know changes associated with the FY26 IPPS, including new ICD-10-CM/PCS codes, CCs/MCCs, and MS-DRGs, plus insights, analysis and answers to your questions from two of the country’s most respected subject matter experts.
This third session in our 2026 IPPS Masterclass will feature a review of FY26 changes to the MS-DRG methodology and new technology add-on payments (NTAPs), presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.
This second session in our 2026 IPPS Masterclass will feature a review the FY26 changes to ICD-10-PCS codes. This information will be presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.
This first session in our 2026 IPPS Masterclass will feature an in-depth explanation of FY26 changes to ICD-10-CM codes and guidelines, CCs/MCCs, and revisions to the MCE, presented by presented by nationally recognized ICD-10 coding expert Christine Geiger, MA, RHIA, CCS, CRC, with bonus insights and analysis from Dr. James Kennedy.
RACmonitor is proud to welcome back Dr. Ronald Hirsch, one of his most requested webcasts. In this highly anticipated session, Dr. Hirsch will break down the complex Two Midnight Rule Medicare regulations, translating them into clear, actionable guidance. He’ll walk you through the basics of the rule, offer expert interpretation, and apply the rule to real-world clinical scenarios—so you leave with greater clarity, confidence, and the tools to ensure compliance.
Bring your questions and join the conversation during this open forum series, live every Wednesday at 10 a.m. EST from June 11–July 30. Hosted by Chuck Buck, these fast-paced 30-minute sessions connect you directly with top healthcare experts tackling today’s most urgent compliance and policy issues.
Fraud convictions don’t just punish a few bad claims; they can wipe out years of reimbursements. Don’t wait for an audit to learn the rules. Join Frank Cohen, MPA, for a live Q&A on spotting red flags, avoiding liability, and protecting your practice. Register now and bring your questions!
Substance abuse is everywhere. It’s a complicated diagnosis with wide-ranging implications well beyond acute care. The face of addiction continues to change so it’s important to remember not just the addict but the spectrum of extended victims and the other social determinants and legal ramifications. Join John K. Hall, MD, JD, MBA, FCLM, FRCPC, for a critical Q&A on navigating substance abuse in 2025. Register today and be a part of the conversation!
Copyright © 2025 ICD10monitor. Powered by MedLearn Media.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
