Pixels on trial: Managing ECPA exposure in healthcare web tracking

Background

State and federal wiretapping laws, which have been around for decades, were originally enacted to limit or prohibit the recording of audio and telephone conversations. Similarly, website tracking for analytics, advertising, and information gathering has been common throughout the 21st century. So, why is the risk higher now than it was a decade ago? There are several contributing factors:

• Plaintiffs firms pushing for expansive application of law
• More plaintiffs bringing claims and seeking larger recoveries
• A permissive initial pleading standard in court
• New Office for Civil Rights (OCR) guidance that was issued, challenged, modified, and still remains unclear
• Legislatures failing to heed calls to update wiretapping laws to stem the tide of litigation

We have previously written about the risks that website tracking technologies can pose to healthcare organizations – particularly where pixels may disclose protected health information (PHI) to third parties without HIPAA business associate agreements (BAAs) and because federal guidance leaves critical compliance questions unresolved. But it seems the previous buzz of risk has become a blaring claxon. Healthcare clients are seeing dozens of prelitigation letters a week, there have been approximately 1,000 lawsuits filed in court (not counting arbitration filings) in the past two years, and there seems to be no end in sight. While healthcare companies subject to HIPAA were the original focus, plaintiffs are increasingly leveraging ECPA and its state counterparts against health-adjacent companies that fall outside HIPAA’s perimeter, including digital health platforms, data brokers, and consumer-facing retailers handling health-related data.

How can organizations respond? As discussed below, they can pair a clear understanding of how HIPAA and wiretapping laws apply to their website tracking practices with practical, business-aligned controls.

Case law is mixed: What courts are doing and why it matters

Courts have reached divergent conclusions on how ECPA and state wiretapping statutes intersect with healthcare privacy obligations and whether HIPAA-related conduct can trigger wiretapping liability. The results depend heavily on how individual judges interpret the interplay between privacy and wiretapping doctrines. Plaintiffs are exploiting these divisions, chasing forums where more favorable outcomes have been more common.

A growing number of courts are permitting wiretapping claims to proceed where the defendant healthcare company controlled the deployment of tracking technology on its own website or patient portal. For example, in a recent case involving an Illinois health system, the court allowed an ECPA claim to survive where the defendant allegedly deployed Google tracking tools on its own website. Similarly, in Nienaber v. Overlake Hospital Medical Center, the courts permitted claims to proceed against healthcare entities allegedly deploying tracking technologies on websites they controlled. These courts have generally concluded that the deployment of third-party tracking technologies on patient-facing pages where there is not a BAA in place with the third-party tracking company could be a violation of HIPAA and thus a predicate basis for applying ECPA, which requires an underlying criminal act to trigger its two-party consent mechanism.

While a growing number of courts are permitting ECPA claims to proceed, this is not a uniform outcome. Several courts have rejected attempts to extend wiretapping liability in more attenuated circumstances. For example, the US Court of Appeals for the Seventh Circuit made clear in Doe v. GTE Corp. that ECPA does not include a theory of aiding and abetting liability (unlike state wiretapping laws, such as the California Invasion of Privacy Act). And, as demonstrated in B.K. v. Eisenhower Med. Ctr., courts are unwilling to impose ECPA liability based solely on the disclosure of information protected by HIPAA unless the plaintiff plausibly alleges the defendant intercepted the communication for the purpose of committing a tortious or criminal act separate from the interception itself.

What does this doctrinal uncertainty tell us? Venue selection and judicial assignment matter – substantially. Each can shape a case’s trajectory, influencing everything from the likelihood of early dismissal to the scope of discovery. The best strategy given this uncertainty and growing litigation risk is for companies to build compliance frameworks grounded in a strong factual record and align litigation strategy with the jurisdictions most relevant to their user base.

Before we turn to risk mitigation, however, it is important to note that the issues in this article also potentially lead to healthcare regulatory compliance concerns under HIPAA and the California Confidentiality of Medical Information Act. While regulators have been slower to act, sharing patient data with third-party tracking companies without a BAA could be a violation of HIPAA, triggering breach reporting requirements. While these regulatory risks are not the focus of this article, they are important to keep in mind when designing a risk mitigation framework.

Practical options to mitigate risk

Healthcare companies have a range of options for addressing this growing litigation risk. The “right” answer for a company depends on a variety of factors, including risk tolerance, ROI driven by tracking technologies on the website, and willingness of third parties to enter into BAAs.

Disable third-party tracking technologies. This is the most conservative approach. Disabling tracking technologies on authenticated pages or those that are clearly patient facing (e.g., appointment booking and finding a provider) stops the contested data flows that have driven recent litigation. The business tradeoff can be significant: loss of conversion insights, user journey optimization, and data-driven product decision-making. For digital health companies in active growth or iteration phases, that cost may be a nonstarter.

Deploy an opt-in consent banner. A targeted alternative – particularly well-suited to public-facing marketing pages – is an opt-in consent banner that requires affirmative user action before tracking technologies fire. The risk profile here differs meaningfully from authenticated environments: Cookies and pixels deployed on main landing pages, before any user authentication, generally are not processing PHI, because the data collected is not tied to an individual’s receipt of healthcare from a covered entity. That distinction narrows the HIPAA exposure on those surfaces and makes a properly engineered opt-in banner a defensible mechanism for capturing consent to analytics and advertising tools that can lead to ECPA claims.

Avoid third-party tracking technologies without a BAA. Under HIPAA, covered entities may use and disclose PHI without written authorization for treatment, payment, and healthcare operations when working with business associates, provided a BAA governs the handling of PHI – including downstream agreements for subcontractors. This makes the existence of BAAs critical to classifying internal analytics as healthcare operations. Specifically, internal website analytics performed by a vendor operating under a downstream BAA can fall within healthcare operations.

But a BAA alone is not enough. Many client-side tracking tools transmit data in ways that may not satisfy HIPAA expectations for encryption in transit, and a BAA cannot fix a noncompliant data flow. The stronger approach combines BAA coverage with server-side tracking, which gives the covered entity greater control over what data leaves its environment and how it is transmitted. Covered entities should also bring analytics vendors and related protocols into their broader HIPAA compliance program, including the Security Risk Analysis, vendor risk management, incident response planning, and periodic reassessment, rather than treating analytics as a marketing function outside the security perimeter.

Require HIPAA-compliant authorizations. A more moderate – but still conservative – approach is to obtain written authorizations that explicitly permit internal analytics and related vendor disclosures. This enhances transparency, strengthens patient trust, and reduces the risk that regulators or courts will reject healthcare operations or administrative services justifications.

However, there are tradeoffs. Authorizations are more complex than standard consent mechanisms. They introduce friction into onboarding flows and require precise content, robust process controls, and ongoing recordkeeping. Additionally, adoption rates may be lower than desired, potentially limiting analytics representativeness and complicating experimentation.

Develop internal analytics. Although more time- and cost-intensive, this approach effectively eliminates the risk that is driving most of the wiretapping litigation against healthcare companies. By removing the involvement of a third party, there is no “interception” of information that could serve as a hook to legal claims.

* * *

The above is a nonexhaustive list of approaches that healthcare companies can consider taking to mitigate the continually growing risk of litigation regarding the use of website tracking technologies. The pathway that a company ultimately picks should reflect a careful balancing of risk and business tolerances.

Conclusion

The emergence of ECPA and state wiretapping claims against healthcare companies has created a demanding risk environment. Mixed jurisprudence and an active plaintiffs’ bar indicate that this risk will continue for the foreseeable future. Healthcare companies – especially digital healthcare companies that rely on website technologies – should ensure that their use of website tracking technologies accurately reflects the desired risk approach.

If you have questions or would like to discuss wiretapping risks, please contact your regular McDermott Will & Schulte lawyer or one of the authors of this alert. You can also visit our Cookies Compliance Toolkit more information.