Where Does the Data Go? How the Use of Online Tracking Technologies Puts Healthcare Organizations at Risk

Cory Brennan | Taft Stettinius & Hollister

Ms. Brennan focuses her practice on matters relating to intellectual property, information technology, software licensing and procurement, advertising technologies and digital marketing solutions, data privacy and security, and data breach and incident response. She advises clients on a variety of data governance regulations, including GDPR, HIPAA, and state laws governing personally identifiable information, such as CPRA. She also counsels clients on compliance with various information security standards, including HIPAA/HITECH, NIST, and ISO, and represents clients in responding to information security incidents.

Prior to joining Taft, Ms. Brennan was an associate at the largest health care-focused law firm in the country and focused her practice on information privacy and security as well as emerging technologies in health care, such as telemedicine, medical apps, and artificial intelligence. She holds the Certified Information Systems Security Professional (CISSP) certification and has presented and written extensively on the topics of cybersecurity and third-party risk management.

Mark J. Swearingen | Hall Render Killian Heath & Lyman

Mr. Swearingen has practiced in the area of health information privacy and security for over 20 years, with particular focus on HIPAA compliance, data breach response, government investigations, HIPAA audits and 42 C.F.R. Part 2. Since the HIPAA Breach Notification Rule was issued in 2009, he has handled a substantial number of healthcare data breaches, including cases involving ransomware, email phishing, lost/stolen devices, insider threats and medical devices. Mr. Swearingen regularly guides clients through government investigations of privacy and security incidents and has successfully negotiated resolutions and settlements with both federal and state agencies. He also advises clients on issues relating to emerging technologies, such as telemedicine, medical apps, and artificial intelligence. He has worked with a broad spectrum of organizations, including health systems, hospitals, physician practices, health plans, governments, technology companies and business associates. Mr. Swearingen speaks and writes frequently, both regionally and nationally, on healthcare privacy and security matters.

I. Recent OCR Guidance: In response to a number of class-action lawsuits against hospitals and technology companies alleging the improper disclosure of information collected through online tracking technology, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently issued guidance clarifying that such technology may improperly collect and transmit protected health information (“PHI”), implicating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) | 11:00am – 11:30am

II. Litigation Landscape: OCR’s guidance appears to have emboldened additional class actions by plaintiffs seeking redress for alleged privacy violations | 11:30am – 12:00pm

Break | 12:00pm – 12:10pm

III. Understanding Tracking Technologies: What are third-party tracking technologies and why do they pose such significant risks to healthcare organizations? | 12:10pm – 12:30pm

IV. Challenges for Impacted Providers: For many organizations, getting a better grasp on this complex issue typically requires performing a highly technical investigation of the organization’s web environment to determine which third-party tracking technologies are present and what information is tracked and transmitted through those technologies | 12:30pm – 12:50pm

V. Lessons Learned: The landscape of this issue has evolved significantly since the original allegations related to the use of third-party tracking technologies in healthcare were thrust into the media spotlight in June of 2022. What have we learned since then? | 12:50pm – 1:10pm