Health care and life sciences organizations continue to face significant litigation risk tied to their use of third-party online tracking technologies. While U.S. regulatory enforcement at the federal level has slowed under the current administration, HIPAA-regulated organizations have become a central target for private litigants and other claimants. Litigants continue to pursue claims against life sciences organizations under wiretap and pen register statutes, consumer protection laws, and common law claims.

As part of this litigation wave, claims under the federal Wiretap Act have featured prominently, and can lead to substantial statutory damages. The Act contains a robust one-party consent defense that often can be used to shield website operations from liability. But, in the context of HIPAA-regulated organizations using third-party tracking technologies, plaintiffs allege that such usage violates HIPAA, and therefore triggers the Act's "crime-tort exception" to consent.

Plaintiffs had previously pointed to guidance by the U.S. Department of Health and Human Services, which indicated that use of tracking technologies by HIPAA-regulated organizations on their public websites could still create HIPAA compliance issues. The federal court in AHA v. Becerra vacated significant portions of that guidance, but some district courts have still declined to treat that decision as controlling on the question of HIPAA compliance. Plaintiffs continue to argue that transmission of website data to third party technology providers violates HIPAA and invades their privacy. And the reluctance of some courts to shut the door on these wiretap claims creates potential exposure for life sciences companies and other health care organizations.

Health care and life sciences organizations can navigate evolving litigation risks and strengthen compliance posture through developing and implementing sound governance strategies. While not dispositive of HIPAA-based claims, one way to mitigate risk is through enhancing disclosures and consent mechanisms. A number of organizations have deployed "cookie banners" to both provide notice to website visitors about the use of third-party tracking technologies, and to obtain consent. A new raft of lawsuits has targeted these banners, alleging that they do not work properly. Misconfigured banners create additional risk, as plaintiffs have asserted that their privacy choices, opting out of tracking, were not honored.