Does Your Website Violate HIPAA?  Compliance Considerations Related to the Meta Pixel.

Health care providers should ensure that their websites are not improperly disclosing patient data to tech companies.  One specific issue to consider is the Meta Pixel, which is a website tracking tool created by Meta Platforms, Inc., the corporate parent of Facebook and Instagram. The Meta Pixel enables websites to collect user data, and may be present in password-protected portals of health care provider websites. Patient information could be shared with Facebook when patients click to schedule an appointment. This sharing is particularly troubling as any patient information received through Meta Pixel can be linked to the user’s IP address, aiding identification.

A class action lawsuit currently pending in the U.S. District Court for the Northern District of California, alleges that Meta knowingly mined data via the Meta Pixel, resulting in data regarding patient health conditions being shared with Facebook. That data was then allegedly used to generate targeted advertising for patients on Facebook and across other websites. The complaint identified at least 664 hospitals or medical provider properties where the Meta Pixel is used. In a second class action, also filed in U.S. District Court for the Northern District of California, the plaintiff made similar claims that her health information and other personal data were harvested by the Meta Pixel, resulting in advertising tailored to her health conditions appearing on her Facebook page and being sent to her in emails and text messages.

These lawsuits come amid increasing concerns for the health data practices of tech companies, apps, and other platforms, which have been the subject of recent Congressional inquiries. An investigation revealed that 33 of the top 100 hospitals in the U.S. use the Meta Pixel on their websites, highlighting the need for health care entities to take steps to safeguard their health-related data, both on public-facing websites and within patient portals.

Looking ahead, it is crucial that health care providers review their websites and integrated applications—both public-facing and patient portals—to identify privacy risks and implement appropriate safeguards. Health care providers should also stay up-to-date on their obligations to provide patients with notice and obtain applicable authorizations where patient health information is being disclosed to outside entities.

For entities looking for resources, the Office for Civil Rights of the U.S. Department of Health and Human Services recently released a Bulletin to highlight the HIPAA compliance obligations of covered entities and business associates when using online tracking technologies. The Bulletin can be accessed here:

Ogden Murphy Wallace’s Health Care practice group will continue to monitor developments around health care provider privacy and data security obligations and recommended best practices for compliance. 

This update is a summary of a complex topic that is subject to change at any time and should not be relied upon in lieu of legal advice. If you have any questions or require guidance, please contact Lee Kuo, Casey Moriarty, or Adriana Lein.