University of Tennessee Medical Center & Margaret Mary Community Hospital Settle Meta Pixel Lawsuits
University of Tennessee Medical Center and Margaret Mary Community Hospital have both agreed to settle class action lawsuits over the use of tracking tools such as Meta Pixel on their websites.
University of Tennessee Medical Center
University of Tennessee Medical Center (UTMC) in Knoxville, Tennessee, has agreed to a settlement to resolve a class action lawsuit that alleged UTMC violated the Tennessee Consumer Protection Act by adding tracking technologies to its website, resulting in the unauthorized disclosure of patients’ personally identifiable health information to Meta, Google, and other third parties.
The lawsuit – Geoffrey Cavalier v. University Health Systems, Inc. d/b/a The University of Tennessee Medical Center – was filed in the Chancery Court for Knox County, Tennessee, and alleged that UTMC used tracking technologies such as Meta Pixel on its websites between January 1, 2015, and September 30, 2023. The plaintiffs allege that the tracking technologies collected and transmitted their personally identifiable information (PII) and protected health information (PHI) to third parties without their knowledge or consent.
The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, breach of implied contract, unjust enrichment, and violations of the Tennessee Consumer Protection Act, Tenn. Code Ann. § 47-18-101, et seq., and Tenn. Code Ann. § 39-13-601. UTMC denies all claims in the lawsuit, maintains there was no wrongdoing, and contends that no tracking code was added to its patient portal and no protected health information was disclosed to any third party via the utmedicalcenter.org website. After considering the costs and risks associated with continuing with the litigation and a jury trial, UTMC agreed to settle the lawsuit. The plaintiffs believe that the settlement is fair, reasonable, and adequate, and settling is in the best interests of all class members.
All class members, individuals who had a patient portal account between January 1, 2015, and September 30, 2023, may submit a claim for a cash payment of $25.00. All individuals who submit a timely and valid claim for a cash payment will also be provided with a complimentary Privacy Shield Pro membership, which includes dark web monitoring, a VPN, data broker opt-out, and other privacy services. The deadline for submitting a claim is December 9, 2025, and the final fairness hearing has been scheduled for December 8, 2025.
Margaret Mary Community Hospital
Margaret Mary Community Hospital in Batesville, Indiana, has settled a class action lawsuit that alleged unlawful use of tracking technologies on its website. The lawsuit claims that Meta Pixel and other tracking tools were used on its website between 2020 and 2023 without users’ knowledge or permission. The lawsuit alleges that adding those tools to the website caused patients’ personally identifiable information to be transferred to Meta and others.
The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the Indiana Deceptive Consumer Sales Act. Margaret Mary Community Hospital disagrees with all claims and contentions in the lawsuit and maintains that there was no wrongdoing; however, a settlement was agreed to avoid the costs and risks associated with a trial and related appeals.
All class members, individuals who logged into the Margaret Mary Community Hospital patient portal between January 1, 2020, and December 31, 2023, may claim a cash payment of $25.00 and a complimentary membership to a Privacy Shield Pro product. Individuals wishing to opt out of or object to the settlement must do so by November 15, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for December 18, 2025.
The post University of Tennessee Medical Center & Margaret Mary Community Hospital Settle Meta Pixel Lawsuits appeared first on The HIPAA Journal.
Emily violates HIPAA laws at a Hospital – ROCK 105.3
Emily violates HIPAA laws at a Hospital ROCK 105.3
MON Health Care Report: DOC says it released sensitive inmate data in violation of HIPAA – WisBusiness
HELP Committee Chair Introduces Health Information Privacy Reform Act to Protect Americans’ Health Data – The HIPAA Journal
HELP Committee Chair Introduces Health Information Privacy Reform Act to Protect Americans’ Health Data
New legislation – the Health Information Privacy Reform Act – has been introduced to improve privacy protections for health information that is not currently covered by the Health Insurance Portability and Accountability Act (HIPAA).
Under HIPAA, there are strict limits on uses and disclosures of personally identifiable health information, and safeguards must be implemented to prevent unauthorized access to physical and electronic protected health information. The problem for consumers is that the scope of HIPAA is quite narrow. HIPAA only applies to health information that is created, collected, maintained, stored, or transmitted by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or a business associate of a HIPAA-covered entity.
Health apps, such as ovulation and fertility tracking apps, can collect large amounts of personally identifiable health information. While the health data would be classed as protected health information (PHI) and be subject to HIPAA protections if it were collected by a healthcare provider, the health information collected by health apps, smartwatches, and other wearable devices is rarely protected by HIPAA or the HITECH Act of 2009, which applies to certified health information technologies.
When HIPAA was enacted more than two decades ago, health information was generally only collected and stored by healthcare providers, health plans, healthcare clearinghouses, and vendors of those entities; however, today, technologies that collect health data are widely used outside of a hospital or doctor’s office.
While there are federal laws that apply to non-HIPAA-protected health data, such as Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule, they are not as stringent as HIPAA. Some states, such as California, have introduced legislation to improve privacy protections for non-HIPAA health data, but state laws are patchy. Privacy protections can differ considerably from state to state.
U.S. Senator Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is looking to change that with the Health Information Privacy Reform Act. The Health Information Privacy Reform Act seeks to expand health privacy protections to account for new technologies such as health apps, smartwatches, and other wearable devices.
“Smartwatches and health apps change the way people manage their health. They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room,” said Sen. Cassidy. “Let’s make sure that Americans’ data is secured and only collected and used with their consent.”
The Health Information Privacy Reform Act will apply to health technologies not covered by HIPAA or the HITECH Act and seeks to expand protections to include non-HIPAA-regulated entities, such as healthcare providers that only accept out-of-pocket payments.
The bill requires the Secretary of the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to promulgate privacy, security, and breach notification standards to cover all health information not covered by HIPAA or the HITECH Act. Those standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with, the protections provided through the privacy, security, and breach notification rules promulgated under [HIPAA and the HITECH Act].”
Covered entities will be required to disclose to consumers how their private health information will be used and disclosed. The bill requires the HHS to formulate permitted uses and disclosures for when individual authorization is not required, set authorization requirements, and establish a set of prohibited uses and disclosures.
As with HIPAA, there will be minimum necessary requirements to ensure that uses and disclosures are limited to the minimum necessary information to achieve the purpose for which health information is used or disclosed. The bill will give individuals rights over their health information, such as the right to receive a privacy notice, access their health data, request an amendment/deletion of data, and requires covered health information to be portable.
Physical, technical, and administrative safeguards must be implemented, including safeguards for electronic health information based on established national frameworks such as the NIST Cybersecurity Framework or the HHS health sector cybersecurity performance goals. In the event of a breach of covered health information, notifications are required, in line with those of the HIPAA Breach Notification Rule.
Within one year of the bill being passed, the Secretary of the HHS is required to establish unified national standards for rendering health information de-identified, similar to the de-identification requirements of HIPAA, and publish guidance on the application of the minimum necessary standard to data used for artificial intelligence and other machine learning applications.
The bill also requires the HHS to contract with the National Academies of Sciences, Engineering, and Medicine to conduct a study to identify the risks and benefits of paying compensation to patients for sharing their personal health data for research purposes.
The Health Information Privacy Reform Act has similar preemptions as HIPAA, inasmuch as states will be permitted to strengthen privacy requirements should they so wish, although that could lead to a complex patchwork of privacy protections.
The HHS, in consultation with the FTC, will be authorized to enforce all provisions of the Health Information Privacy Reform Act, and may impose civil monetary penalties for noncompliance, in line with existing penalty structures.
Similar privacy laws have been proposed in the past to address the lack of privacy protections for non-HIPAA-covered health data, as well as numerous attempts to pass a national data privacy law, all without success. It remains to be seen whether the Health Information Privacy Reform Act can gain sufficient support to get it over the line.
The post HELP Committee Chair Introduces Health Information Privacy Reform Act to Protect Americans’ Health Data appeared first on The HIPAA Journal.
WWRS Philippines secures ISO/IEC 27001 and HIPAA certifications – Daily Tribune
WWRS Philippines secures ISO/IEC 27001 and HIPAA certifications – Daily Tribune
Bill Seeks HIPAA-Like Protections for Consumer Health Data – Bank Info Security
Bill Seeks HIPAA-Like Protections for Consumer Health Data Bank Info Security