A Pennsylvania-based hospital recently defeated a proposed class action lawsuit alleging that it shared patients’ personal health information with Meta Platforms, Inc. (“Meta”), in one of the latest decisions in a growing set of so-called “online tracking technology” lawsuits brought against hospitals and other HIPAA-covered entities.

In Santoro v. Tower Health, CV 22-4580, 2024 WL 1773371, at *1 (E.D. Pa. Apr. 24, 2024), Plaintiffs Patrick Santoro and Jessica Landis—patients of Tower Health and Facebook users since before 2018—contended that Tower Health installed on its publicly accessible website a software made by Meta known as Meta Pixel, which they alleged was a “small piece of code that records information about visitors’ activity to a particular webpage[]” including “content specific to the user such as IP addresses and Facebook IDs” and “also tracks what visitors do on that webpage, including how much time the users spend there or what links they click.” Id. Through its use of Meta Pixel, Plaintiffs claimed that Tower Health captured and transmitted HIPAA-protected, individually identifiable health information to Meta without their consent. The Plaintiffs alleged violation of the federal Wiretap Act, 18 U.S.C. 2510, and also brought claims for negligence and intrusion upon seclusion. 

Judge John F. Murphy of the U.S. District Court for the Eastern District of Pennsylvania held that the Plaintiffs failed to show that the information allegedly disclosed to Meta constitutes sensitive health information. “Mr. Santoro’s theory thus requires, among other things, that the information intercepted by Tower Health and transmitted to Meta falls within the scope of HIPAA’s definition of “individually identifiable health information.” 42 U.S.C. § 1320d-6(a)(3). The HIPAA regulations define individually identifiable health information as “information that is a subset of health information, including demographic information collected from an individual, and: (1) [i] created or received by a health care provider … and (2) [r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual … and (i) [t]hat identifies the individual; or (ii) [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 45 C.F.R. § 160.103. 

The Court determined that the second amended complaint “lacks specific examples of what HIPAA-protected information from plaintiffs was transferred from Meta[:]”

The second amended complaint tells us nothing about the specific pages Mr. Santoro clicked on, his medical condition, or his history of medical care with Tower Health. So, we cannot determine what information Mr. Santoro actually communicated to Tower Health via his web browsing, and thus cannot tell whether that information might be covered by HIPAA. It is interesting to hypothesize about different circumstances that could get the theory into discovery, but the law requires more than hypotheticals at the pleading stage.

…As best as we can tell from the allegations and undisputed representations, whether individually identifiable health information is intercepted could depend upon how the particular user interacts with the website, including how long they spend on a page, what links are clicked on, and what search terms they input – as well as the nature of the user’s health condition and treatment plan. We need not define what constitutes HIPAA-protected information or otherwise flesh out plaintiffs’ speculation. It is plaintiffs’ responsibility to make factual allegations that plausibly state a claim for relief, and they have not done so here.

Id., 2024 WL 1773371, at *4-5 (emphasis added). Similarly, the Plaintiffs did not sufficiently plead causation to demonstrate a negligence claim, and their intrusion upon seclusion claim failed because the second amended complaint lacks allegations sufficient to find that any intrusion was highly offensive. Given three chances to plead their claims, Plaintiffs’ latest and final complaint was dismissed with prejudice. 

This Tower Health decision represents a victory for hospitals in the increasingly growing number of so-called “online tracking” class actions. On March 18, 2024, the U.S. Department of Health and Human Services’ Office of Civil Rights updated its guidance regarding the use of online tracking technologies, but the American Hospital Association contends that the updated guidance “will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need.”

Chilivis Grubman regularly advises hospitals, doctors’ groups, and other HIPAA-covered entities and business associates on HIPAA compliance and data privacy issues and defends lawsuits arising out of data breaches and online advertising uses.