The sleeping giant of health privacy enforcement is website tracking. The Kroger lawsuits are only the latest example.
In November, Kroger was hit with two proposed class action lawsuits over breach of privacy related to web tracking in its pharmacy operations. Both lawsuits allege that Kroger did not inform pharmacy patients that their health data was being shared with third parties, including Meta. Kroger joins a long list of companies defending similar lawsuits.
These lawsuits illustrate the web-tracking controversy in healthcare brewing over the past year. Organizations that receive and track health data are under fire from Federal regulators and plaintiffs’ lawyers.
Website Tracking Collects Private Information
Website trackers are everywhere on the internet. They enable big tech companies like Google and Meta (Facebook) to gather valuable personal information about website users, including patients and pharmacy customers. This information can be sold to marketers. When a healthcare organization includes Google analytics or Meta Pixels on its website, they often unwittingly transmit protected health information (PHI) to Google and Meta.
OCR and the FTC Enforce Privacy Laws
The Office for Civil Rights (OCR) has stated that web tracking in healthcare is a potential HIPAA violation. The Federal Trade Commission (FTC) is pursuing breach of privacy investigations against non-HIPAA companies for using web trackers. The FTC has gone after GoodRx, BetterHelp, and Premom for privacy violations related to website tracking, obtaining six -and seven-figure settlements from them.
Class Action Lawsuits are a Growing Enforcement Trend
The first lawsuit against Kroger, filed on November 10 in the U.S. District Court of the Southern District of Ohio, alleges that tech companies intercept the information patients provided to Kroger through tracking pixels.
“Plaintiff and Class Members used the Website to submit information related to their prescriptions. The Private Information unauthorized third parties received revealed individual patients’ identities and details about the confidential health care they sought and received from Defendant, including the name of their prescription medications, dosage and form of the medication, and more,”
“In turn, these disclosures allow third parties to reasonably infer that a specific patient was being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and an array of other symptoms or conditions.”
The lawsuit further alleges that personal information could have been connected directly with a patient’s individual Facebook profile. The plaintiff claims that Kroger breached its statutory and common law obligations to patients despite clearly defined rules under HIPAA and FTC rules.
“Despite these clear laws and regulations, Defendant has essentially planted a bug on patients’ web browsers that forced them to disclose private and confidential Communications to third parties.”
“Kroger’s utilization of the Tracking Tools to secretly track and share with third parties its users’ Communications on its Website is the electronic equivalent of looking over the shoulder of each visitor for the entire duration of their Website interaction. Defendant did not disclose the presence of these Tracking Tools to Website users filling prescriptions with Kroger.”
The Kroger class actions are only the latest lawsuits over web tracking. According to a report from law firm BakerHostetler, more than 50 lawsuits were filed against hospital systems related to third-party pixel tracking between August 2022 and May 2023. Many more have been filed since May.
HIPAA Compliance Prevents Costly Lawsuits
For HIPAA-regulated entities, following HIPAA is the surest way to avoid costly lawsuits and federal investigations. Review the OCR bulletin on website tracking to ensure you understand your obligations.
Note that the FTC Act’s obligations apply to HIPAA-covered entities and business associates, as well as to companies that collect, use, or share health information that aren’t required to comply with HIPAA.
Non-HIPAA regulated entities should follow FTC’s guidance; you can also borrow guidance from HIPAA. Use the highest industry standards and safeguards to maintain the privacy and security of individuals’ personal identifiable information (PII) and protected health information (PHI).