Hundreds of U.S. hospitals may be violating the Rules of the Health Insurance Portability and Accountability Act (HIPAA) by including the Meta Pixel tool on their websites, according to an investigation conducted by The Markup/STAT. The revelation has also sparked a lawsuit against Meta which alleges Meta is knowingly collecting and using the transferred data to serve targeted ads, has done nothing to ensure that consent to collect the data has been obtained by hospitals, and, as a result, the privacy of millions of patients has been violated.
Meta Pixel is a snippet of JavaScript code offered by Meta for use on websites. The tool records data of users of those websites and tracks what they did on the sites. That information is then sent to Meta/Facebook and is used to serve targeted ads. The issue is that if identifiable information is collected on a hospital website that includes information protected under HIPAA, in order to send that data to a third party for reasons other than treatment, payment, or healthcare operations, consent to do so would need to be obtained from patients. The third party that information is transferred to would also be classed as a business associate, would need to enter into a business associate agreement with the hospital, and would be bound by the HIPAA Rules.
According to the study, which was conducted on Newsweek’s top 100 U.S. hospitals, one-third of those hospitals had Meta Pixel on their websites and were sending sensitive data to Meta/Facebook, and 7 hospital systems were identified that had Meta Pixel within their password-protected patient portals. The types of information recorded included IP addresses, whether patients made an appointment, and, in some cases, details of their medical conditions/procedures. In the case of the latter, that information was sent when the patients selected items from drop-down boxes, such as pregnancy termination, diabetes, and Alzheimer’s disease. The study found no evidence of a business associate agreement with Meta/Facebook or consent being obtained from patients. Meta states in its terms and conditions that if sensitive data is determined to be transferred, it is stripped out and not used by its systems.
A lawsuit has been filed against Meta over the use of Meta Pixel on healthcare providers’ websites. At the time of filing the lawsuit, attorneys for the plaintiff alleged that at least 664 hospitals have been found to be using Meta Pixel on their websites and were sending data to Meta without obtaining consent from patients. The plaintiff, John Doe, is a patient of MedStar Health Inc in Maryland, is a Facebook user, and uses the patient portal for booking appointments, checking lab test results, and viewing his medical records. He used the portal at a time when MedStar Health allegedly used Meta Pixel on its website on the login page.
The lawsuit cites HIPAA and how it restricts transfers of identifiable protected health information and suggests violations, although MedStar Health is not named as a defendant in the lawsuit. The lawsuit also does not seek to take action against Meta over any HIPAA violation, but does allege Meta has violated state and federal laws including California’s Unfair Competition Law and the Invasion of Privacy Act, and the federal Electronic Communications Act.
The lawsuit alleges breach of contract, a violation of California laws covering good faith and fair dealing, negligent misrepresentation, intrusion upon seclusion, and a constitutional invasion of privacy. The lawsuit seeks class action status and includes “all Facebook users who are current or former patients of medical providers in the United States with web properties through which Facebook acquired patient communications relating to medical provider patient portals, appointments, phone calls, and communications associated with patient portal users, for which neither the medical provider nor Facebook obtained a HIPAA, or any other valid, consent.”
The lawsuit seeks a jury trial, compensatory and punitive damages, and attorneys’ fees.
