Meta Facing Scrutiny Over Use of Meta Pixel Tracking Code on Hospital Websites
Meta is facing further scrutiny of its privacy practices related to its Meta Pixel JavaScript code, which has been added to the websites and web applications of many U.S. hospitals to allow them to track user activity.
Meta Pixel is a snippet of JavaScript code that can be used by website owners for tracking user activity through the use of cookies. Meta Pixel collects any information contained in HTTP headers, button click data, form field names, and other user-specified data. Many website owners use the code to track activity to help them with website optimization, identifying trends, and improving the user experience on their websites and web applications.
Earlier this year, The Markup jointly published a report with STAT on the use of Meta Pixel code on the websites of U.S. hospitals. The study analyzed the websites of the top 100 hospitals in the United States and found that one-third used the code, and in some cases had added the code to their patient portals and appointment scheduling pages. The problem is that the data collected via this code snippet may be sent to Meta, and may include patients’ protected health information. Meta is not a business associate of HIPAA-covered entities, and under HIPAA compliance rules, any data transmitted to Meta would require patient consent. The investigation failed to find evidence that patient consent was obtained.
Following the publication of the report, at least 28 of the 33 hospitals identified by The Markup removed the code from their websites, and at least three have now issued notifications to patients about the privacy violations that (may) have occurred. Novant Health said the protected health information of 1.36 million patients had potentially been transmitted, and in the past few days, notifications have been issued by Advocate Aurora Health (3 million), and WakeMed Health and Hospitals (495,000). Several lawsuits have been filed against hospitals over the collection, impermissible disclosure, and use of data collected via Meta Pixel, which claim has been used to serve patients with targeted adverts related to their medical conditions.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Meta Scrutinized Over Data Collection and Sharing Practices
In a September 14, 2022, Senate Homeland Security and Governmental Affairs Committee hearing, Sen. Jon Ossoff (D-GA) questioned Chris Cox, Chief Product Officer for Meta Platforms, about the use of Meta code in connection with healthcare data. “There’s been substantial public reporting, controversy, and concern about the Meta Pixel product and the possibility that its deployment on various hospital systems’ websites, for example, has enabled Meta to collect private health care data,” said Ossoff. “We need to understand, as the U.S. Congress, whether or not Meta is collecting, has collected, has access to, or is storing, medical or health data for U.S. persons.” Cox said that to his knowledge, there had been no use of health or medical data by Meta.
Meta may have denied receiving or using data sent via Meta Pixel, but it has done little to assuage concern. On October 20, 2022, Sen. Mark R. Warner (D-VA) wrote to Meta CEO, Mark Zuckerberg, requesting information on the privacy practices of Meta with respect to the use of Meta Pixel tracking code on hospital websites. The letter came in the wake of the announcements by two more healthcare providers, Advocate Aurora Health and WakeMed, and the potential violation of the privacy of almost 3.5 million patients.
Sen. Warner explained in the letter that there is a need for user privacy and greater transparency about how data is collected online and used, and how this has become even more important due to the increase in online appointment booking, telehealth, and electronic record-keeping due to the pandemic. He explained the need for strong safeguards to protect user privacy and keep sensitive medical information private, and that he is very concerned that sensitive information may be transmitted – without a website user’s knowledge – to Meta or Facebook simply by clicking a button on a form within a patient portal or an appointment scheduling page on a healthcare provider’s website. “This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments,” said Sen Warner. Further, allegations have been made in at least two lawsuits that the data has been passed to third parties and used to serve targeted adverts.
Specifically, Sen. Warner has asked for answers to the following questions:
The North Carolina Attorney General has also recently confirmed that an investigation has been launched into the use of Meta Pixel tracking code on the websites of Triangle hospitals, including those operated by WakeMed and Duke University Health System Health. The confirmation came around a month after a lawsuit was filed alleging the improper use of the tracking tool, which has allowed data to be collected without authorization and has been used to serve targeted ads to patients.
