As a provider, a question worth asking yourself these days is this: what degree of risk is there that you might have something on your website that could lead to a multi-million-dollar class-action lawsuit and a determination by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that you violated the Health Insurance Portability and Accountability Act (HIPAA)?
As anyone who has seen the pop-up banners on many websites over the past few years knows, websites often use “cookies,” small packets of data, to track activities on the site. Sometimes, these cookies also share information with third parties.
Social media and online ad companies provide some of the most common cookies and other tracking tools to website owners. “Meta Pixel,” provided by Meta – Facebook’s parent company – and Google Analytics are among the most ubiquitous. But nearly every social media company, such as LinkedIn, Snapchat, TikTok, Twitter-slash-X, offers something.
These cookies are often used to figure out how effective advertising campaigns and websites are at driving people to sites and then prompting them to take certain actions, such as buying a product – or, potentially, making an appointment with a doctor.
In the process, these tools often send information back to a third party, such as Meta or Google.
And here’s where OCR and some plaintiffs think there might be a problem.
In the past year, dozens of class-action lawsuits have been filed against healthcare entities because of their websites’ use of Meta Pixel and other tools. We have four in federal court just here in Minnesota, where I am.
So far, these lawsuits have mostly targeted hospital systems. But they are starting to target smaller entities. For example, one was recently filed against a small clinic in Florida.
The central claim is that healthcare entities cannot share information people provide on their websites. Tracking technologies do that.
So, what’s the risk?
An older, similar case settled for $18.4 million.
One of the newer cases settled about a month ago for more than $12 million.
But on the other hand, federal courts have also dismissed (or mostly dismissed) several cases in the last few months.
Because these lawsuits are so new, it’s hard to say what the risk will ultimately be.
Unfortunately, the risk is not just a lawsuit. OCR issued guidance in December 2022 related to these tools. It took the position that many practices and uses of tracking technologies are barred by HIPAA’s Privacy Rule. It reminded readers that civil penalties may apply if the use violates HIPAA. Fortunately, it also gave some examples of where HIPAA does not apply.
If David Glaser were here, he would remind us that guidance is only guidance. It is not the law.
And one federal judge recently ruled that OCR’s interpretation, and I quote, “goes well beyond the meaning of what the statute can bear.”
So, what can you do to reduce your risk?
Start by evaluating:
Ultimately, it is tough to say what the full risk is. Situations vary, and it may be fact-sensitive. And all this action regarding healthcare cookies is still new and changing.
So, while I’m not sure if it’s because my 3-year-old just discovered the glories of Sesame Street, or because I spend a lot of time thinking about cookies on my clients’ websites, either way, the Cookie Monster’s song “C is for Cookie” has been stuck in my head recently.
Cookie Monster sings, “C is for Cookie, that’s good enough for me.”
Cookie Monster is right:
C is for Cookie, and that might be good enough for Cookie Monster.
But C is also for “Class Action Lawsuit.”
Or a “Complaint” filed with the Office for Civil Rights.
Go get yourself a cookie to eat, and then check in on your website’s cookies.
EDITOR’S NOTE: This column features spoilers for the current season of The Pitt, and the sentiments reflected therein are the author’s own – not necessarily
A few weeks ago, Dr. Ron (Ronald Hirsch, MD) wrote about a situation in which members of a utilization review (UR) staff were uncomfortable with
Please log in to your account to comment on this article.
Breast biopsy procedures may be clinically straightforward but accurately translating them into compliant billing can be anything but. In this focused webcast, Shawn Blackburn, CPC, CPMA, CIC, CRC, CCS-P breaks down how imaging guidance, lesion count, laterality, and payer expectations all impact how these procedures should be reported. Through clear explanations and real-world scenarios, you’ll gain practical insight into aligning clinical workflows with billing requirements, avoiding common pitfalls, and ensuring your documentation supports accurate reimbursement and compliance.
Gain clarity and confidence in OB‑GYN coding with this expert‑led webcast featuring Sherri L. Clayton, RHIT, CSS. You’ll learn how to apply global maternity package rules accurately, select the right CPT codes for procedures and visits, and identify documentation gaps that lead to denials. With practical guidance and real examples, this session helps you strengthen compliance, reduce audit risk, and ensure accurate reimbursement for women’s health services.
Uncover essential coding insights with nationally recognized coding authority Kay Piper, RHIA, CDIP, CCS. Through ICD10monitor’s interactive, on‑demand webcast series, Kay walks you through the AHA’s 2026 ICD‑10‑CM/PCS Quarterly Coding Clinics, translating each update into practical, easy‑to‑apply guidance designed to sharpen precision, ensure compliance, and strengthen day‑to‑day decision‑making. Available shortly after each official release.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s fourth quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Traditional utilization management models can no longer keep pace with regulatory shifts, payer scrutiny, and operational pressures. In this webcast, Tiffany Ferguson, LMSW, CMAC, ACM, ACPA-C, introduces an Adaptive Model strategy that modernizes UM through role specialization, technology-driven workflows, and proactive, team-based processes. Attendees will learn how to restructure programs to improve efficiency, strengthen clinical collaboration, and enhance financial performance in a rapidly changing healthcare environment.
Federal auditors are intensifying their focus on inpatient psychiatric facilities, using advanced data analytics to spotlight outliers and pursue high‑dollar repayments. In this high‑impact webcast, Michael Calahan, PA, MBA, Compliance Officer and V.P., Hospital & Physician Compliance, breaks down what regulators are really targeting in IPF-PPS admissions, documentation, treatment and discharge planning. Attendees will learn practical steps to tighten processes, avoid common audit triggers and protect reimbursement and reduce the risk of multimillion-dollar repayment demands.
In this timely session, Stacey Shillito, CDIP, CPMA, CCS, CCS-P, CPEDC, COPC, breaks down the complexities of Medical Decision Making (MDM) documentation so providers can confidently capture the true complexity of their care. Attendees will learn practical, efficient strategies to ensure documentation aligns with current E/M guidelines, supports accurate coding, and reduces audit risk, all without adding to charting time.
Join Ronald Hirsch, MD, FACP, CHCQM for The PEPPER Returns – Risk and Opportunity at Your Fingertips, a practical webcast that demystifies the PEPPER and shows you how to turn complex claims data into actionable insights. Dr. Hirsch will explain how to interpret key measures, identify compliance risks, uncover missed revenue opportunities, and understand new updates in the PEPPER, all to help your organization stay ahead of audits and use this powerful data proactively.
Celebrate Lab Week with MedLearn! Sign up to win one year of our Laboratory All Access Pass! Click here to learn more →
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
BLOOM INTO SAVINGS! Get 25% OFF during our spring sale through March 27. Use code SPRING26 at checkout to claim this offer.
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
