Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement

Posted by Steve Alder

Another healthcare provider has agreed to settle a class action lawsuit over its use of Meta Pixel and other third-party analytics and tracking tools on its website. Children’s Hospital Medical Center of Akron, doing business as Akron Children’s Hospital, was alleged to have added these tools to its website, but their use and implementation resulted in website visitors’ personally identifiable information being disclosed to Facebook and other third parties without the web visitors’ knowledge or consent.

On January 5, 2024, plaintiff John Doe filed a lawsuit – Doe v. Children’s Hospital Medical Center of Akron – against Akron Children’s Hospital in the Court of Common Pleas, Summit County, Ohio, individually, and as next friend of minors A.D., B.D., and C.D., and other similarly situated individuals. The plaintiff alleged that his own PII and that of his minor children and other individuals was disclosed to third parties such as Meta (Facebook), Google, and others without their knowledge or consent, resulting in an invasion of privacy.

In addition to invasion of privacy – intrusion upon seclusion, the lawsuit asserted claims of negligence, negligence per se, breach of confidence, unjust enrichment, and interception and disclosure of electronic communications. Akron Children’s Hospital denies all claims asserted in the lawsuit and all allegations of wrongdoing and liability; however, it attempted mediation to avoid further litigation costs and the uncertainty of a jury trial. While initial mediation efforts failed, after several months of negotiation, a settlement was agreed that was acceptable to all parties. The settlement agreement has now received preliminary approval from Judge Alison McCarty.

The settlement agreement addresses the harm caused by the alleged data disclosure, the potential for future harm, and economic losses incurred by the plaintiffs and the 313,700 class members. All class members will be entitled to claim a one-time cash payment of $19 and will be provided with two years of credit monitoring and identity theft protection services, which include dark web monitoring, lost wallet assistance, a $1 million identity theft insurance policy, and fully managed identity theft restoration and advisory services.

Akron Children’s Hospital will also pay attorneys’ fees, costs, and expenses, settlement administration costs, service awards for class members, and has agreed to injunctive relief, which includes the removal of pixels from its public-facing website, and a commitment not to add pixels to its patient portal or any forms on its public-facing website. Akron Children’s Hospital is permitted to use pixels that are essential for website functionality and may use HIPAA-compliant third-party companies in the future for analytics functions, provided a business associate agreement is in place.

The deadline for exclusion from the settlement, objection, and submitting a claim is September 29, 2025. The final approval hearing has been scheduled for October 10, 2025.

The post Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement appeared first on The HIPAA Journal.

Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations

Posted by Steve Alder

On August 26, 2025, Robert F. Kennedy Jr., Secretary of the U.S. Department of Health and Human Services (HHS), delegated the authority to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (Part 2) to the HHS’ Office for Civil Rights (OCR).

OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, ensures the confidentiality, integrity, and availability of personally identifiable health information collected, stored, maintained, or transmitted by HIPAA-regulated entities. The HIPAA Rules have provisions concerning data security and uses and disclosures of personally identifiable information related to past, present, and future health; however, due to the high level of sensitivity of SUD records, they are afforded greater protection under the Part 2 regulations.

The Part 2 regulations were promulgated in 1975 to ensure that patients receiving treatment for a SUD in a Part 2 Program do not face adverse consequences related to criminal proceedings and domestic proceedings such as child custody, divorce, or employment. The Part 2 regulations restrict uses and disclosures of SUD records, which are kept separate from other health records, such as those regulated by HIPAA. Generally, Part 2 Programs are prohibited from disclosing any information that could identify a person as having or having had a SUD without written consent.

While there are important reasons for greater protections for SUD records, having two sets of regulations for different types of health information creates compliance challenges. The two sets of regulations hamper care coordination, stifle information sharing, and may put patients at risk. For instance, the separation of SUD records from general health records could result in a physician making a treatment decision based on incomplete information, such as prescribing opioids to a patient recovering from opioid addiction.

There have been growing calls for the Part 2 regulations to be more closely aligned with HIPAA to improve care coordination and address some of the current compliance challenges. In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted, which directed the HHS to engage in further rulemaking to better align the Part 2 regulations with HIPAA. The HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, issued a Final Rule in 2024 implementing changes to better align the two sets of regulations to improve care coordination, strengthen confidentiality protections through civil enforcement, and align certain requirements of the Part 2 regulations with HIPAA. The compliance deadline for the Final Rule is February 16, 2026.

Two of the changes relate to privacy violations and data breaches. The Final Rule gives individuals the right to file complaints about violations of the Part 2 regulations, and the subject of SUD records must be notified about breaches of their Part 2 records, as is the case for violations of HIPAA and breaches of HIPAA-covered data. RFK Jr. has now delegated the administration and enforcement responsibilities of the Part 2 regulations to OCR. The Director of OCR has the authority to redelegate those responsibilities.

Specifically, per the Secretary’s Statement of Delegation of Authority published in the Federal Register on August 27, 2025, OCR will be able to:

  • Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with the requirements of Part 2 regulations, as amended by the Final Rule
  • Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with the Part 2 regulations, as amended by the Final Rule
  • Make decisions regarding the interpretation, implementation, and enforcement of the Part 2 regulations, as amended by the Final Rule

The post Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations appeared first on The HIPAA Journal.