The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Costco Pharmacy Patients Sue for Website Tracking Technology Disclosures of PHI to Third Parties

Posted By on Nov 10, 2023

Costco is one of the latest companies to be sued over the use of website tracking technologies. Many retailers use tracking code on their websites such as Meta Pixel and Google Analytics to gain information about the interactions of website visitors. These tools provide valuable information that can be used to improve websites and increase sales. The data collected by these tools is sent to the providers of the code, and in some cases, may be used to serve targeted advertisements.

Two lawsuits have recently been filed against Costco Wholesale over the use of these trackers on the Costco Pharmacy pages of the Costco website, which has allegedly impermissibly disclosed information protected under the Health Insurance Portability and Accountability Act (HIPAA).  Both lawsuits claim that Costco encourages patients and prospective patients to use its pharmacy webpages, communicate about their prescriptions, conduct research on medications, order new prescriptions, request refills for current medications, inquire about specific immunizations, search for local Medicare supplemental insurance, and sign up for its Rx mail order program.

However, unbeknown to website visitors, their activities are being tracked and their sensitive data is being transferred to third parties. The information transferred is tied to individuals by identifiers such as their IP address and Facebook ID and allows the third parties to infer that an individual is being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and they may be serviced targeted advertisements based on that information. Both lawsuits were filed in the U.S. District Court for the Western District of Washington at Seattle (R.S. v. Costco Wholesale Corporation and Castillo et al v Costco Wholesale Corporation). The lawsuits make similar claims, that the use of the tracking code without obtaining consent violates HIPAA, the Federal Trade Commission (FTC) Act, and federal and state wiretapping laws.

As a pharmacy operator, Costo is a HIPAA-covered entity and is required to comply with the HIPAA Rules. In December 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on HIPAA and website tracking technologies, prohibiting the use of these tools unless consent was obtained – in the form of a HIPAA-compliant authorization – or a business associate agreement was in place with the providers of these tools. Most providers of tracking technologies do not sign business associate agreements. The FTC has taken action against non-HIPAA-covered entities that have used tracking code on websites that collects and discloses health data for violations of the FTC Act. The FTC and OCR jointly sent letters to 130 entities this year warning them about the use of tracking tools on their websites and the compliance risks associated with these tools. The guidance issued by OCR makes it clear that the use of these tools violates HIPAA; however, that position is being challenged by the American Hospital Association and others who recently filed a lawsuit against the Secretary of the HHS and the Director of OCR that seek confirmation from the court that the guidance is unlawful and to prevent OCR from ever enforcing it.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The two lawsuits seek class action certification, a jury trial, financial damages for the imminent and ongoing harm caused, and injunctive relief prohibiting Costco from using these tools and engaging in further unlawful behavior. These are just two of many lawsuits that have been filed against healthcare organizations and Meta over these tracking tools, which have disclosed the data of tens of millions of individuals to third parties without consent. Recently, Advocate Aurora Health settled its Pixel-related class action lawsuit for $12.225 million.

Plaintiffs and class members in the R.S. v. Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC, and Gary M. Klinger, Alexandra M. Honeycutt & Glen L. Abramson of Milberg Coleman Bryson Phillips Grossman PLLC. Plaintiffs and class members in the Castillo et al v Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC and Ryan J. Ellersick and Hart L. Robinovitch of Zimmerman Reed LLP.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist