DSIR Deep Dive: New Wave of Privacy Hospital Website Analytics Tools Targeted Privacy Section


Like many websites, hospitals often deploy third-party analytics tools to measure browser traffic to increase awareness of their websites, ensure website optimization, and provide healthcare information to the public. But recently there has been a proliferation of class action lawsuits alleging that those analytics tools reveal hospitals’ identities and online activities of patients without their knowledge and consent (the “Hospital Website Pixel Cases”).

BakerHostetler’s Privacy and Digital Risk Division’s Action and Litigation team is currently defending multiple hospital systems in various jurisdictions, including California, Florida, Illinois, Louisiana, Maryland, Massachusetts, Minnesota, Missouri, New Jersey, and others over hospital website pixel issues. New York, North Carolina, Ohio, Pennsylvania, Washington and Wisconsin. The purpose of this blog post is to shed light on the current litigation landscape, provide high-level strategic ideas, and promote best practices for mitigating litigation risk.

Litigation landscape

As of June 2022, more than 100 hospital website pixel cases have been filed against hospitals in federal and state courts across the country. Although the number of cases is increasing, there is a certain condition regarding liability. None of the cases have gone to trial, and we are not aware of any summary judgment or summary judgment decisions. In most cases, motions to dismiss have successfully disposed of certain claims but not entire cases. A state court in Washington granted class certification, while another state court in Maryland denied class certification. Only two settlements have been announced. The first was settled in Massachusetts state court for $18.4 million. Recently, a Wisconsin state court granted preliminary approval of a $2 million settlement. In short, the ultimate question of ultimate liability and settlement exposure remains unknown to this day.

Activities of the petition forum

Plaintiffs in Hospital Website (a) asserted contract claims based on the website’s privacy policies or notices; (b) state law privacy claims (statutory, common law or constitutional) based on unauthorized disclosure of patients’ personal and/or medical information; and (c) federal wiretapping law or similar state law claims based on communications. Other claims have also been proven, including those based on laws that typically target “computer hacking.” See, for example: California General Computer Information Access and Fraud Act – Cal. 502 of the Criminal Code.

In the year On July 12, 2023, the Southern District of California filed a motion to revoke the hospital website’s license to completely dismiss the Pixel Case. Plaintiffs asserted state common law and constitutional privacy claims, breach of fiduciary duty, a California state wiretapping action, and a California Medical Information Act claim. Among other significant rulings, the court held that, as a matter of law, “Plaintiffs cannot maintain their claims based on the theory that the Defendant’s sharing of their browsing activity collected on a public-facing website constitutes a disclosure of their sensitive medical information.” “

Considerations for Hospitals Facing Web Pixel Litigation

As noted, the motions to dismiss certain claims based on the allegations in the complaint and the controlling statute were successful. Many courts have held, for example, that HIPAA-required privacy notices cannot form the basis of plaintiffs’ contract claims. Instead, these notices are provided only to patients to comply with federal law. Another issue to consider is whether plaintiffs have brought specific contractual provisions that a hospital defendant allegedly breached.examplenot to disclose patient information).

Regarding state law privacy claims, one item to consider is whether plaintiffs consented to the alleged analytics practices. For example, at least one Ninth Circuit decision has rejected plaintiffs’ claims that the plaintiffs’ analytics and data display practices on a hospital website barred their statutory and common law privacy claims. As to the interference with immunity claim, Plaintiffs cannot allege that Hospital Defendants obtained patient information.

Additionally, a subpoena argument allows hospitals to successfully defeat some tort claims if their state creates a common law tort for disclosing nonpublic medical information to a third party. For example, a state court in Ohio agreed with this subsummary argument and dismissed the plaintiff’s breach of trust, negligence and fiduciary duty claims.

Other defenses depend on the specific statutes cited and the facts alleged. For example, courts have rejected statutory claims requiring disclosure of “medical information” if none were disclosed. Additionally, courts have rejected state consumer protection law claims for failing to identify sufficient damages to state cognizable loss.

As for the statutory wiretapping claims, the hospital defendants successfully prevailed on these claims, arguing that hospitals could not be held liable for wiretapping as part of the communication, under the actual law at issue. Special conditions do not apply. Courts have also rejected telephone privilege appeals because, among other reasons, some statutes provide no right to privacy, hospitals are not providers of “electronic communications services,” and plaintiffs have failed to prove that the “content” of any communication was transmitted, that “interception” occurred or that interception was “in transit.” It happened.

Finally, the hospital defendants are subject to plaintiffs’ claims to compel arbitration and/or class action, which may be the basis of a motion to strike arbitration and/or class action, respectively.

The plaintiffs also moved for a preliminary injunction from the outset. So far, these efforts have been unsuccessful, in part because plaintiffs often opt out of the collection of their data through various opt-out tools or avoid using the problematic hospital website.

Proof of opposition

In contrast to class certification, hospitals can raise various arguments to support the conclusion that the cases are too personal to support class treatment. For example, there may be key differences in the experience of Class Members (including their purpose for visiting the Website, the pages they visit, and their browser and device settings). To date, we know of one state court that has granted class certification and denied class certification. In denying class certification, the court held that plaintiffs had not shown that common issues of law and fact outweighed individual issues. Moreover, the court held that under state law, plaintiffs’ claims were ineligible for class certification because they raised novel questions.

The only class certification decisions to date in cases against hospitals are unpublished state court decisions. In a landmark ruling regarding similar tracking technology, the Northern District of California denied class certification, holding that the factual issues surrounding Facebook login and clearing and blocking cookies meant that individualized issues predominated over any common issues. The court also said that C_user cookies, which cannot be easily identified, will not be sent to Facebook when the class status is turned on, so the intended class is not identified.

In addition to the individual issues that may preclude class certification, plaintiffs’ proposed class-wide injury theories may be unreliable because they do not reflect the economic realities of the website interaction and/or are inconsistent with plaintiffs’ class-wide claims. Finally, depending on the particular circumstances of each plaintiff, discovery may show that the named plaintiffs are not sufficiently representative of the class because their claims are specifically protected.

Motion for summary judgment or summary judgment

As noted, we are not aware of any summary judgment or summary judgment decisions in the Hospital Website Pixel cases. In terms of benefits, hospitals may consider (a) whether and to what extent patients are willing to use the analytics technology deployed; (b) whether or not analytics technology is deployed on an online patient portal (as opposed to a public-facing website), which is often the case; is not The issue and issue-can be stressful; (c) if state law prohibits disclosure of the Special Information allegedly disclosed; and (d) the precise information disclosed and to whom, among other matters.

Reducing the risk of litigation

Often the best litigation strategy is to minimize the risk of litigation in the first place. While our Privacy and Digital Risk Division’s Actions and Litigation team has experience litigating hospital pixel cases, our Digital Assets and Data Management (DADM) colleagues are experienced in advising hospital clients on issues related to privacy compliance and tracking technologies. Websites. This typically involves conducting investigations, reviewing privacy policies or notices, and advising on best compliance practices from a legal and litigation perspective.

We offer you some site tools and assistance to get the best result in daily life by taking advantage of simple experiences