DSIR Deeper Dive: Tracking the Crackdown on Tracking/Pixel Technologies: Web Litigation and Regulatory Landscape – Part 2

11/18/2024|6 minute read

In the first part of this blog post, we looked into the OCR and FTC's focus on third-party tracking technologies. We also reviewed the AHA Lawsuit and its impact for the use of tracking technologies. In this blog post, we cover the Loper Bright decision overturning the Chevron doctrine, the compliant use of tracking technologies, and the current landscape of privacy class actions in this space.

Loper Bright and the Overturning of Chevron Deference

The AHA Lawsuit decision wasn't the only bench slap regulators received in June 2024. Only a week after the Texas decision, the U.S. Supreme Court overturned the doctrine of Chevron deference in Loper Bright Enterprises v. Raimondo. For over 40 years, the Chevron doctrine gave federal administrative agencies the primary role in interpreting and enforcing ambiguous statutes and regulations, thereby significantly reducing the role federal courts played in reviewing administrative agencies' rules and orders.

In Loper Bright, the Court concluded that the Chevron doctrine could not be reconciled with the Administrative Procedure Act (APA) - which specifies that courts, not agencies, will decide "all relevant questions of law" arising on review of agency action - and the long-standing rule that courts "say what the law is."

Going forward, although courts may consider an agency's interpretation of an ambiguous statute, Loper Bright explains that they cannot defer to it and "must exercise their independent judgment in deciding whether an agency has acted within its statutory authority."

With Loper Bright in hand, entities may feel emboldened to file suit against HHS OCR in federal court to challenge enforcement actions that aren't strictly aligned with HIPAA statutory language. Because covered entities must first appeal OCR determinations to administrative law judges who have historically sided with OCR, and because under Chevron federal courts would defer to OCR's own favorable interpretation of the statute, challenges have rarely been considered worth the effort. Now, without the need to contend with Chevron deference, we expect HIPAA-regulated entities will be more apt to seek judicial review of OCR enforcement actions. Coupled with the AHA Lawsuit decision, Loper Bright provides a strong deterrent for HHS OCR to significantly pursue alleged violations based on website technology usage on unauthenticated covered entity websites. Our full coverage of Loper Bright can be found here.

The Search for 'Compliant' Tools

While the AHA Lawsuit was a significant win, it did not eliminate the need for healthcare entities to be vigilant in this space. Healthcare entities wanting to use tracking technologies on their public websites to capture user-entered information or on their authenticated websites still must tread carefully. Many of our clients made the difficult decision to remove all third-party technologies from their webpages while they search for alternatives for keeping their websites functional and relevant without transmitting information that crosses the line of PHI.

Many vendors offer tools they say will address the parts of OCR's December 2022 bulletin that remain in effect while allowing healthcare entities to maintain critical insights based on the use of their websites. But vendors' willingness to enter into a business associate agreement varies. Even where a business associate agreement is attainable, some of the more comprehensive tools come at a significant cost to healthcare entities, including substantial internal resources required to properly configure and utilize the tool.

Whether removing, replacing or modifying third-party web technologies, healthcare entities should continue to ensure a strong corporate governance process and collaborative approach between marketing and compliance departments, an in-depth understanding of the use of any technologies on their websites, and a thorough assessment of the risks and benefits associated with the use of such technologies.

The Continued Wave of Privacy Class Actions

In the 2023 Data Security Incident Report, we reported that more than 50 class action lawsuits were filed against healthcare entities alleging that the use of third-party technologies on their websites allowed for the unauthorized disclosure of patients' identities, health information and online activities in violation of state and federal statutes and common laws (Healthcare Pixel Actions). As discussed above, HHSOCR's release of the names of all hospital systems and telehealth providers that received its July 2023 warning letter created a convenient list from which class action plaintiffs' attorneys could solicit named plaintiffs and file class action lawsuits. As a result of HHS OCR's and the FTC's actions, the number of copycat lawsuits filed against healthcare entities for their use of third-party technologies has ballooned to over 200 - with BakerHostetler defending healthcare entities in over half of pending Healthcare Pixel Actions.

Healthcare entities have been successful in getting a few complaints completely dismissed, but courts generally grant plaintiffs leave to amend. In most instances, courts have allowed some of the claims brought by plaintiffs to move past a motion to dismiss, including statutory claims such as state and federal wiretap claims, as well as state common law claims such as invasion of privacy. These remaining claims may include statutory damages, substantially increasing healthcare entities' potential liability.

To date, no Healthcare Pixel Actions have been litigated to conclusion, and thus the claims brought by plaintiffs remain novel. We are aware of only two Healthcare Pixel Actions class certification decisions: one granting class certification and the second denying it. A trial is set for February 2025 for the action in which class certification was granted. This will be the first Healthcare Pixel Actions trial in the nation, and its outcome will likely impact defense strategies in other class actions against healthcare entities. In opposing class certification, defendants should focus on key differences in plaintiffs' and putative class members' experiences that can be used to either obtain a complete denial of class certification or narrow a class (such as their purpose for visiting webpages, their interactions with webpages, and their browser and device settings) because this can impact what information - if any - is transferred to third parties.

Two healthcare entities, both represented by BakerHostetler, have also successfully obtained dismissal of claims at the summary judgment level in two separate cases. In the first decision, the court dismissed the plaintiffs' unjust enrichment claim (in addition to several other state law claims, including the only claims that allowed for statutory damages), finding that if anyone was unjustly enriched, it was third parties that obtained data - not the healthcare entity. That court also held that patient status, without more, does not constitute healthcare information, because it does not directly relate to a patient's healthcare under the pertinent statute. In the second decision, the court found that there was no evidence that information transmitted through the plaintiff's use of the healthcare entity's website was content under the state wiretap act and that the plaintiff could not show any damages to support his privacy claim, much less a highly offensive intrusion under a reasonable person standard. Depending on the facts unearthed during discovery, defendants may be able to further limit plaintiffs' claims or defeat complaints altogether through summary judgment.

The other aspect of litigation for defendants to consider is whether and when to discuss potential settlement with plaintiffs' counsel. In 2023 and 2024, we have seen an increase in Healthcare Pixel Actions settlements. Pixel settlements can involve unique facts and circumstances that can impact settlement costs. While there are some outliers, most recent pixel settlements have been structured as common funds that equate to approximately $4-$6 per settlement class member. For instance, one action settled for $12.225 million for a class of approximately 3 million individuals. In January 2024, parties settled a second action for $6.6 million for a settlement class comprised of approximately 1.36 million individuals. More recently, parties reached a $6 million settlement for a putative class of approximately 987,000. Though these settlements equate to approximately $4-$5 per putative class member, we continue to see much higher initial demands from plaintiffs' counsel. Because of this disconnect, many Healthcare Pixel Actions have moved into discovery rather than reaching early classwide settlement.

When assessing potential settlement of Healthcare Pixel Actions, defendants should first consider the claims at issue. For instance, plaintiffs rarely allege any actual injury (or if they do, they may concede in briefs that actual damages are small or difficult to quantify). Instead, the liability risk is frequently tied to the potential for statutory damages related to specific claims. Defendants should also weigh the potential costs of discovery, which can vary depending on the amount of electronic discovery and the potential need for discovery-related motion practice. Plaintiffs have been increasingly aggressive in discovery, presumably in an effort to try to settle the case(s).

What Comes Next?

Between the AHA Lawsuit and the Supreme Court's Loper Bright decision, HHS OCR has appeared less enthusiastic about its handful of ongoing pixel-related investigations. And rightly so - given the precedent, HHS OCR cannot be certain that a district court would uphold enforcement attempts that stray too far from the text of HIPAA itself.

Plaintiffs' attorneys, on the other hand, are likely feeling emboldened by the settlements that are now being announced regularly in pixel-related class actions. If there is a dip in case filings, it may be only because the plaintiffs' bar has run out of defendants to sue.

The dramatic expansion of the FTC's Health Breach Notification Rule in 2024 is a serious hazard going forward. The FTC flexed its enforcement muscle in 2023, showing its interest in this space. Potentially more dangerous is the fact that the amendments to the Health Breach Notification Rule so significantly and unexpectedly broaden the scope of entities subject to the rule that many companies likely do not yet realize they are in the crosshairs.

The common thread through the regulatory and litigation stories is that entities need to carefully assess their website tracking technology usage and be confident that the risk of regulatory and class action is worth the benefit conferred by these technologies.

Public link

Please use the above public link if you want to share this noodl on another website.