New York Attorney General Letitia James secured $300,000 from NewYork Presbyterian (NYP) Hospital for using web trackers to disclose the health information of individuals who visited the organization’s website in what may be the first state-based settlement against a HIPAA-regulated organization for using web pixels.
The settlement announced Dec. 27 is yet another sign that regulators—including the HHS Office for Civil Rights (OCR), the Federal Trade Commission (FTC) and state attorneys general—remain laser-focused on web-based tracking technologies, even as hospitals argue that they are important tools for public health.
“I believe that health care organizations should be planning for a ‘cookie-less’ future,” said David Harlow, vice president, chief compliance and privacy officer at Insulet Corporation. (Harlow noted that the views he expressed are his own.) “I don’t think that we will ever be entirely free of cookies, pixels, and other trackers, but there is technology available that can eliminate much of the risk of enforcement while still maintaining some analytics capabilities for health care organizations.”
The American Hospital Association (AHA) has pushed back against OCR’s policy on pixels with a federal lawsuit arguing that OCR overreached, and that lawsuit since has drawn support from 17 state hospital associations and 30 hospitals and health systems.
But Harlow said hospitals can’t count on that lawsuit to allow them to continue to use the tools: “Whether or not the AHA’s lawsuit is successful, it should be clear that OCR’s guidance is a reflection of evolving public sentiment about privacy in this country and evolving nonhealth care privacy regulation at the state level.”