Reed Smith In-depth

Health care and health care-adjacent organizations face materially increased regulatory and class action risk from commonly used third-party analytics and advertising services (ad/analytics services) on their websites, patient portals, mobile applications, and other Internet-connected services. Recent settlements with regulators and class action plaintiffs have resulted in millions of dollars in payments, bans on disclosing health information for advertising purposes, and long-term regulatory oversight of organizations’ data sharing practices. In this alert, we briefly examine the sources of risk, including the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), state enforcement authorities, and class action plaintiffs, and highlight some considerations for mitigating each.

Online ad/analytics services in a nutshell

Most websites and mobile applications include code that allows vendors of ad/analytics services to collect information about users as they interact with websites and mobile applications. The code may include, for example, the use of third-party cookies, web beacons or tracking pixels, and session replay functions (third-party trackers). The vendors then process and analyze data collected via third-party trackers for various purposes, such as providing user analytics reports, facilitating online advertising (both personalized and non-personalized), and helping website and mobile application operators analyze user experience decisions and better understand what content is popular. Vendors also typically use the data for their own purposes, such as to provide their services to other customers and develop and improve their products and services.

What elevated the risk of using online ad/analytics services?

In the last year, users and vendors of ad/analytics services have become a frequent target for federal and state regulators and class action plaintiffs. As previously discussed in our blog post, late last year, HHS’ Office for Civil Rights (OCR), which is responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA), issued a bulletin describing potential HIPAA non-compliance from the use of third-party trackers. Since the beginning of this year, the FTC has settled three separate cases alleging deceptive and unfair business practices under the FTC Act by digital health platforms based on their use of ad/analytics services. The California Attorney General’s first public enforcement action under the California Consumer Privacy Act (CCPA) involved a website’s use of ad/analytics services, and regulators in several states have recently issued statements or entered into settlement agreements related to digital health platforms sharing health information with third parties for ad/analytics purposes. Finally, the plaintiffs’ bar has brought a significant number of class action lawsuits in 2023 against users and vendors of ad/analytics services, building on the explosion of such lawsuits filed in 2022. These class actions are frequently aimed at health care-related organizations and include claims of HIPAA violations.