Skip to main content

PRIVACY-PENNSYLVANIA PRIVACY LAW-PENN MEDICINE SHARING INFORMATION WITH FACEBOOK ABOUT PATIENTS

Mohr v. Trs. of the Univ. of Pa., 2024 U.S. App. LEXIS 3963, 2024 WL 698074 (3rd Cir. February 24, 2024) (Porter, C.J.).

Plaintiffs filed a putative class action in state court against the Trustees of the University of Pennsylvania (Penn), which controls and operates the Hospital of the University of Pennsylvania Health System (Penn Medicine). Using mobile devices or desktop computers, patients can access and provide information to Penn Medicine. Plaintiffs allege that Penn Medicine shares patients’ identities, sensitive health information, and online activity from its patient portals with Facebook in violation of Pennsylvania privacy law. Penn removed the case to federal court, invoking the federal-officer removal statute, 28 U.S.C. § 1442(a)(1). It argued that, in operating Penn Medicine’s patient portals, it was “acting under” the federal government. The District Court rejected this argument and remanded the case to state court. We will affirm.

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Pub. L. No. 111-5, §§ 13001-13424, 123 Stat. 115, 226-79 (2009). Its goal was to encourage healthcare providers to adopt and use health information technology, such as electronic health records (EHR). See 42 U.S.C. § 300jj-11(b). In part, the HITECH Act directed the Department of Health and Human Services (HHS) to make incentive payments to any Medicare-participating provider that is a “meaningful EHR user.” 42 U.S.C. § 1395w-4(o)(1)(A)(i). Beginning in 2015, the law also instructed HHS to reduce Medicare reimbursements to any Medicare-participating provider that is “not a meaningful EHR user.” 42 U.S.C. § 1395w-4(a)(7)(A)(i).

In 2010, the Centers for Medicare and Medicaid Services (CMS), an agency within HHS, promulgated regulations to implement the HITECH Act and created a program called the Meaningful Use Program (the Program). 42 C.F.R. §§ 495.2-495.110. Under the Program, CMS created certain objectives and measures that providers must meet in order to qualify as a “meaningful EHR user” and thus receive incentive payments and avoid reductions in Medicare reimbursements. 42 C.F.R. §§ 495.20-495.24. For example, one objective is whether a provider uses health information technology to “provide[] patients . . . with timely electronic access to their health information,” which participating providers often accomplish through the use of an online patient portal. 42 C.F.R. § 495.24(d)(5)(i)(A).

Penn Medicine has operated an online patient portal since 2008. Starting in 2011, it began receiving incentive payments from the federal government for qualifying as a “meaningful EHR user” based on its patient portal meeting certain objectives and measures under the Program. And starting in 2015, Penn Medicine began avoiding any reduction in Medicare reimbursements by continuing to qualify as a “meaningful EHR user.”

In January 2023, Plaintiffs filed a putative class action against Penn in the Court of Common Pleas of Philadelphia County. According to the Plaintiffs, Penn Medicine’s patient portal surreptitiously allows Facebook’s Tracking Pixel software to access and collect confidential patient information from Penn Medicine’s patient portal and transfer it to Facebook’s servers. Facebook then allegedly processes and analyzes the patient data for targeted advertising. Plaintiffs assert that this transfer of confidential information to Facebook violates Pennsylvania privacy law.

In February 2023, Penn removed the case to federal court, invoking the federal-officer removal statute as a basis for jurisdiction. 28 U.S.C. § 1442(a)(1). It argued that, because Penn operates Penn Medicine’s patient portal to receive incentive payments under the Program and avoid reductions in Medicare reimbursements, it is “acting under” the federal government. Plaintiffs filed a motion to remand for lack of subject-matter jurisdiction, which the District Court granted. Penn appealed.

“Merely complying with federal laws and regulations is not ‘acting under’ a federal officer for purposes of federal-officer removal.” Maglioli, 16 F.4th at 404. That includes private parties who are “subject to detailed regulations and whose activities are highly supervised and monitored[.]” Id. (internal quotation marks and quoted source omitted). If the defendant’s relationship to the federal government sounds merely in “regulation, not delegation,” the defendant fails the “acting under” requirement. Watson, 551 U.S. at 157.