Many hospital websites have installed a tracking tool that collects users' potentially sensitive health information and sends it to Facebook—a situation that health data security experts say may be a violation of HIPAA regulations, Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu write for The Markup/STAT+.
How Meta Pixel is tracking patients
After testing the websites of Newsweek's top 100 hospitals in America, the authors found 33 of them had installed a tracking tool called Meta Pixel, which sends Facebook a packet of data whenever someone clicks a button to schedule an appointment.
According to the authors, "[t]he Meta Pixel is a snippet of code that tracks users as they navigate through a website, logging which pages they visit, which buttons they click, and certain information they enter into forms," and more than 30% of the most popular websites use it in some form. In exchange for installing the tracker, organizations are provided with analytics about ads they've placed on Facebook and Instagram, as well as tools to target people who visit their websites.
The data collected by Meta Pixel is connected to an IP address and can generally be linked to a specific person or household. The information collected through the tracker varies but can include doctors' names, addresses, appointment times, medications, allergies, sexual orientation, and more.
"Almost any patient would be shocked to find out that Facebook is being provided an easy way to associate their prescriptions with their name," said Glenn Cohen, faculty director of Harvard Law School's Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics. "Even if perhaps there's something in the legal architecture that permits this to be lawful, it's totally outside the expectations of what patients think the health privacy laws are doing for them."
Overall, the 33 hospitals found using Meta Pixel on their websites accounted for more than 26 million patient admissions and outpatient visits in 2020, according to data from the American Hospital Association. However, the true number of patients impacted by this type of data tracking is likely much higher, the authors write, since only 100 hospitals were included in their initial analysis.
After being contacted by the authors with potential privacy concerns, several hospitals removed the pixel tracker from their appointment booking pages or patient portals. "Since our further examination of the topic is ongoing, we elected to remove the pixel for now to be sure we are doing everything we can to protect our patients' privacy while we are evaluating," said a spokesperson from one of the hospitals.
Could this type of data tracking violate HIPAA?
According to health data security experts, privacy advocates, and former regulators, hospitals that use Meta Pixel on their websites may be violating HIPAA since collected IP addresses could qualify as protected health information if linked to information about a person's health conditions, care, or payment.
Under the law, covered entities, including hospitals, are prohibited from sharing personally identifiable health information with third parties such as Facebook, unless under certain contracts or when an individual has expressly given consent in advance.
"I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it," said David Holtzman, a health privacy consultant and a former senior privacy adviser in HHS' Office for Civil Rights, which enforces HIPAA. "I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation."
This is not the first time hospitals' online data collection has come under scrutiny, with several class action lawsuits filed in different states over the last few years, the authors write. For example, in 2019, several patients filed a class action lawsuit against a Massachusetts-based health system, asserting that the organization violated their privacy by installing the Meta Pixel and other trackers on its websites. In January, the case was settled with the health system denying the claims and admitting no wrongdoing but paying $18.4 million to the plaintiffs and their attorneys.
For its part, Meta, Facebook's parent company, said it has implemented an information filtering system to remove any potentially sensitive data, including health information, from being stored.
"If Meta's signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems," said company spokesperson Dale Hogan.
However, following an investigation by the New York Department of Financial Services in February 2021, Meta told investigators the filtering system was "not yet operating with complete accuracy." According to privacy advocates, Meta's ineffectual filtering system "is a prime example … of the online advertising's industry inability to police itself," the authors write.
"The evil genius of Facebook's system is they create this little piece of code that does the snooping for them and then they just put it out into the universe and Facebook can try to claim plausible deniability,” said Alan Butler, executive director of the Electronic Privacy Information Center. "The fact that this is out there in the wild on the websites of hospitals is evidence of how broken the rules are." (Feathers et al., The Markup, 6/16; Feathers et al., STAT+ [subscription required], 6/16)