Many healthcare organizations are facing legal scrutiny over alleged improper gathering and disclosure of sensitive information via a tracker called the Facebook/Meta Pixel (“Meta Pixel”). An investigation by The Markup in June 2022 found that 33 of the top 100 hospitals in the United States use the Meta Pixel on their websites.
A Meta Pixel is a small piece of JavaScript code, commonly referred to as a web beacon, that allows you to track visitor activity on your website. Many hospitals and health systems have these web beacons embedded on their websites and inside password-protected patient portals. According to recently filed class action lawsuits, the web beacons have been collecting patients’ personally identifiable information (PII) and personal health information (PHI) – including details about their medical conditions, prescriptions, and appointment – and transmitting that information directly to Meta (formerly known as Facebook). Meta, in turn, has allegedly been sending targeted ads to these individuals based on the PHI collected via the Meta Pixels on the healthcare provider’s website. Many of these lawsuits include civil and criminal causes of action against the healthcare defendants.
The unauthorized access, use, or disclosure of PII and/or PHI to third parties also creates the potential for regulatory enforcement actions. The Health Insurance Portability and Accountability Act (HIPAA) is front and center for the healthcare industry. HIPAA specifically prohibits covered entities, like hospitals, from sharing PHI with third parties like Meta, except when an individual has expressly consented in advance or has certain contracts in place. Unless the healthcare organizations involved had the patients’ express consent or had appropriate contracts in place, the activity at issue in the lawsuits may also be a violation of HIPAA. In addition to HIPAA, several other international and domestic privacy laws prohibit unauthorized disclosure of personal data to third parties except in certain circumstances.
The investigation and resulting report from The Markup will likely lead to more litigation and regulatory investigations involving healthcare organizations that use Meta Pixels and other tracking tools. Below are a few takeaways for healthcare organizations to consider:
Tips & Takeaways:
- Review Policies/Procedures around Pixels/Web Beacons: Legal/compliance teams should work closely with IT and/or InfoSec teams to ensure that any pixels/web beacons on websites are properly configured to not run afoul of any international and domestic privacy laws.
- Conduct an Audit of your Organization’s Privacy Policies: Audit your organization’s privacy policies – internal and external facing policies. Ensure your organizational policies that involve handling customer and corporate data are updated and aligned with current privacy regulations.
- Privacy Regulations and Enforcement Activity are Rapidly Accelerating: Domestically and internationally, the privacy regulatory environment has been on a fast track for several years. Many broad-based domestic and international privacy regulations have been signed into law in recent years and are gearing up for enforcement in 2023. Make sure you are ready!
- Review Risk Transfer Mechanisms: Technology is evolving at warp speed. Changes in technology can impact the strength and effectiveness of risk transfer mechanisms. Take the time to review and, perhaps refresh, contract and insurance-based risk transfer mechanisms.
- Remember: Data Governance is a Team Sport! Developing a solid and effective data governance program requires collaboration and cooperation across several teams within an organization.
Kelly Geary, Esq., CIPP US, is a Managing Principal with EPIC based in the New York City area. In addition, she serves as the National Practice Leader – Executive Risk and Cyber/Professional Services and Coverage Counsel & Claims Leader for Lemme, a division of EPIC.
