Cyber Week is here! Unleash savings from Nov. 20-29. Use code CYBER23 at checkout for 20% off your order. Hurry, exclusions apply! Don’t miss out on the biggest deals of the year!

The Trouble with Cookies – and the Civil Liability They Can Present to Providers

The Trouble with Cookies – and the Civil Liability They Can Present to Providers

As a provider, a question worth asking yourself these days is this: what degree of risk is there that you might have something on your website that could lead to a multi-million-dollar class-action lawsuit and a determination by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that you violated the Health Insurance Portability and Accountability Act (HIPAA)?

As anyone who has seen the pop-up banners on many websites over the past few years knows, websites often use “cookies,” small packets of data, to track activities on the site. Sometimes, these cookies also share information with third parties.

Social media and online ad companies provide some of the most common cookies and other tracking tools to website owners. “Meta Pixel,” provided by Meta – Facebook’s parent company – and Google Analytics are among the most ubiquitous. But nearly every social media company, such as LinkedIn, Snapchat, TikTok, Twitter-slash-X, offers something.

These cookies are often used to figure out how effective advertising campaigns and websites are at driving people to sites and then prompting them to take certain actions, such as buying a product – or, potentially, making an appointment with a doctor.

In the process, these tools often send information back to a third party, such as Meta or Google.

And here’s where OCR and some plaintiffs think there might be a problem.

In the past year, dozens of class-action lawsuits have been filed against healthcare entities because of their websites’ use of Meta Pixel and other tools. We have four in federal court just here in Minnesota, where I am.

So far, these lawsuits have mostly targeted hospital systems. But they are starting to target smaller entities. For example, one was recently filed against a small clinic in Florida.

The central claim is that healthcare entities cannot share information people provide on their websites. Tracking technologies do that.

So, what’s the risk?

An older, similar case settled for $18.4 million.

One of the newer cases settled about a month ago for more than $12 million.

But on the other hand, federal courts have also dismissed (or mostly dismissed) several cases in the last few months.

Because these lawsuits are so new, it’s hard to say what the risk will ultimately be.

Unfortunately, the risk is not just a lawsuit. OCR issued guidance in December 2022 related to these tools. It took the position that many practices and uses of tracking technologies are barred by HIPAA’s Privacy Rule. It reminded readers that civil penalties may apply if the use violates HIPAA. Fortunately, it also gave some examples of where HIPAA does not apply.

If David Glaser were here, he would remind us that guidance is only guidance. It is not the law.

And one federal judge recently ruled that OCR’s interpretation, and I quote, “goes well beyond the meaning of what the statute can bear.”

So, what can you do to reduce your risk?
 Start by evaluating:

  • What tools are you using?
    • Third-party versus internal tools
  • What are your website’s capabilities?
  • What parts of your website is it on?
    • Main page
    • Portal login
    • Inside portal
  • Videos?
    • Video Privacy Protection Act
  • What is in your website’s privacy policy?
    • Do you have one?
    • Do people have to accept it to use your website?
  • Do people have to accept the use of cookies?
  • And as always, what benefit are you getting?

Ultimately, it is tough to say what the full risk is. Situations vary, and it may be fact-sensitive. And all this action regarding healthcare cookies is still new and changing.

So, while I’m not sure if it’s because my 3-year-old just discovered the glories of Sesame Street, or because I spend a lot of time thinking about cookies on my clients’ websites, either way, the Cookie Monster’s song “C is for Cookie” has been stuck in my head recently.

Cookie Monster sings, “C is for Cookie, that’s good enough for me.”

Cookie Monster is right:

C is for Cookie, and that might be good enough for Cookie Monster.

But C is also for “Class Action Lawsuit.”

Or a “Complaint” filed with the Office for Civil Rights.

Go get yourself a cookie to eat, and then check in on your website’s cookies.

Print Friendly, PDF & Email

Geoff Koslig

Geoff is currently an associate at Fredrikson & Byron, P.A. Geoff helps healthcare clients navigate rules and disputes. He specializes in solving compliance, False Claims Act, privacy, and licensure issues for hospitals, clinics, and more. With prior experience in nonprofits and teaching, Geoff offers practical solutions for growth amid changing regulations.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Revolutionize Case Management and Revenue Cycle Team Collaboration to Improve Patient and Financial Outcomes

Revolutionize Case Management and Revenue Cycle Team Collaboration to Improve Patient and Financial Outcomes

Unlock the keys to bridging the clinical-finance disconnect by transforming your approach to revenue cycle collaboration for superior patient care and financial prosperity!

Join Dr. Ronald Hirsch as he delves into the pivotal connection between case management, utilization review, and hospital revenue cycles, unveiling strategies to enhance communication and align goals effectively. Discover how to overcome hidden challenges hindering seamless collaboration and gain insights imperative for success

Print Friendly, PDF & Email
December 7, 2023
Mastering the Two-Midnight Rule: Keys to Navigating Short-Stay Admissions with Confidence

Mastering the Two-Midnight Rule: Keys to Navigating Short-Stay Admissions with Confidence

The CMS Two-Midnight Rule and short-stay audits are here to stay, impacting inpatient and outpatient admissions, ASC procedures, and Medicare Parts C & D. New for 2024, the Two-Midnight Rule applies to Medicare Advantage patients, requiring differentiation between Medicare plans affecting Case Managers, Utilization Review, and operational processes and knowledge of a vital distinction between these patients that influences post-discharge medical reviews and compliance risk. Join Michael G. Calahan for a comprehensive webcast covering federal laws for all admission processes. Gain the knowledge needed to navigate audits effectively and optimize patient access points, personnel, and compliance strategies. Learn Two-Midnight Rule essentials, Medicare Advantage implications, and compliance best practices. Discover operational insights for short-stay admissions, outpatient observation, and the ever-changing Inpatient-Only Listing.

Print Friendly, PDF & Email
September 19, 2023
Unlocking Clinical Documentation Excellence: Empowering CDISs & Coders

Unlocking Clinical Documentation Excellence: How to Engage the Provider

Uncover effective techniques to foster provider understanding of CDI, empower CDISs and coders to customize their queries for enhanced effectiveness, and learn to engage adult learners, leveraging their experiences for superior learning outcomes. Elevate your CDI expertise, leading to fewer coding errors, reduced claim denials, and minimized audit issues.

Print Friendly, PDF & Email
December 14, 2023
Coding for Spinal Procedures: A 2-Part Webcast Series

Coding for Spinal Procedures: A 2-Part Webcast Series

This exclusive ICD10monitor webcast series will help you acquire the critical knowledge you need to completely and accurately assign ICD-10-PCS and CPT® codes for spinal fusion and other common spinal procedures.

Print Friendly, PDF & Email
October 26, 2023
Inpatient Spinal Fusions: Mastering Anatomy, Coding and Documentation

Inpatient Spinal Fusions: Mastering Anatomy, Coding and Documentation

During this exclusive ICD10monitor webcast, inpatient coders will gain a profound understanding of prevalent spinal procedures. They’ll delve into the intricate anatomy, grasp the purpose and method behind these procedures, uncover essential elements within physician documentation, and receive expert guidance, step by step, on constructing accurate ICD-10-PCS codes. It’s the key to enhancing their expertise and ensuring coding precision.

Print Friendly, PDF & Email
October 26, 2023

Trending News