New healthcare privacy challenges as online data tracking, sharing methods evolve

With security concerns, including a potential breach and a class-action suit, around Meta Pixel and other web tracking tools, health systems should be considering "all the ways PHI may be used, disclosed and accessed," says a former OCR investigator.
By Mike Miliard
12:39 PM

This past June, a John Doe plaintiff who was a patient at Baltimore-based Medstar Health System filed a class-action complaint against Meta Platforms in the U.S. District Court for the Northern District of California.

The plaintiff alleged that Meta, the parent company of Facebook, was using its Pixel tracking technology to access patient information from websites and portals of hospitals and health systems for targeted marketing.

Since then, at least two other class-action suits have been filed against Meta alleging illegal information harvesting. And several major U.S. health systems have either been named as co-defendants (Dignity Health, UCSF) or faced lawsuits themselves (Northwestern Memorial Hospital) for alleged misuse or misconfiguration of the Pixel tool.

Meanwhile, in August, Novant Health disclosed a data breach related to the Java tracking script that may have affected 1.3 million individuals. And in October, Advocate Aurora Health said as many as 3 million users of its MyChart patient portal and LiveWell website and app may have had their data transmitted via Pixel technology.

In addition to the class-action suits, legislators on Capitol Hill are taking notice. On October 20, U.S. Sen. Mark R. Warner, D-Virginia, sent a letter to Meta CEO Mark Zuckerberg with a series of pointed questions about the company's data tracking policies.

Hospitals and health systems now have some questions to ask of themselves about how their websites and apps are built, and how third parties may, inadvertently or not, be putting patients' protected health information at risk.

We asked Andrew Mahler, a former investigator with HHS Office for Civil Rights and now VP of Privacy and Compliance at CynergisTek, what he thought about these and other issues: how healthcare organizations should be thinking about privacy laws and different data types, best practices for educating staff and patients, laws and regulations on how and when data can be shared – and how these privacy challenges may have added salience in a post-Dobbs decision world.

Q. What do you make of the Advocate Aurora "pixel" breach, which has now led to a lawsuit?

A. People are not only becoming more aware of how their data could and should be shared, but we are becoming more knowledgeable about the vast implications of data sharing, more broadly. I think what concerns many about the disclosures to Meta/Facebook is not simply that their data is being shared, but that their data may be being shared broadly and for advertising and tracking purposes without their consent or knowledge.

HIPAA governs how protected health information may be used and disclosed by covered entities – including certain providers, plans – and certain business associates/vendors, and it also provides certain requirements related to the privacy and security of data, as well as individual rights.

Those standards include requirements to provide notice to patients about how PHI may be used and disclosed by the organization, the requirement to obtain valid authorization for certain types of uses and disclosures, and the requirement to obtain certain assurances before disclosing PHI to vendors.

What makes this situation especially complex and troubling is that the healthcare organizations themselves may not have been aware that the Meta Pixel Tool had been embedded in its website and/or that it was tracking, comparing and receiving data about patients, including PHI. This underscores the importance of performing thorough risk analyses, proper training and education, as well as independent third-party reviews of policies, processes and systems to highlight potential gaps and risks.

Organizations should be carefully considering all the ways PHI may be used, disclosed and accessed, and the use – whether inadvertent or purposeful – of Meta Pixel has highlighted the need for organizations to think beyond the routine and usual, and consider innovative (or insidious) ways data can be accessed.

Q. What about the ways companies like Meta are working with hospitals and health systems, more generally?

A. Just as there is an app for everything, there is a vendor for everything. Many companies provide valuable applications and technology services to hospitals and health systems. However, as data (even de-identified data) becomes more valuable, companies are going to logically look for ways to monetize and further use data, and we hope that if they are doing so, they are doing it in a way that is compliant, secure, and ethical.

While HIPAA-covered entities and business associates have control over how they use and disclose information, they may determine that there is an organizational need to utilize tracking services that could make certain web-based experiences easier or more efficient for patients, prospective patients, or the organization itself. In one situation, an organization determined that the use of Meta Pixel supported consumer experience and helped encourage the scheduling of preventive care.

However, when making business decisions like this, organizations must weigh the benefit to the organization/patient with the risk to the patient/organization. When making or reviewing these determinations, it is imperative that a thorough risk analysis is not performed in a vacuum but includes as much key staff as possible to provide insights not only about the business need or benefit, but also about risk (past, present, and future) and potential ethical concerns.

Q. How concerned should patients be from a privacy perspective, even if they're not affected by a breach, per se?

A. HIPAA permits covered entities to use and share protected health information for certain purposes. Some of these purposes are only permitted if the patient authorizes the disclosure, but not all. HIPAA expressly permits certain uses and disclosures that do not require authorization or an opportunity to agree or object. This includes disclosures for certain, permitted law enforcement purposes, research purposes and business associates.

When thinking about concerns about our PHI, it is important to keep in mind that the enforcement of the HIPAA Privacy and Security Rules was initiated almost 20 years ago. Healthcare providers and insurers subject to HIPAA have had a lot of time to understand how to protect and secure health information and implement good practices related to data sharing and maintenance.

However, we should all be somewhat skeptical about how our data is used and shared, and that includes asking questions when information about privacy or security practices is unclear or unknown. Organizations will need to adjust practices or implement new ones as technologies improve and risks become apparent. In addition, the U.S. Department of Health and Human Services, Office for Civil Rights, is responsible for enforcing HIPAA and we have seen consistent, active enforcement over the years.

The financial penalties are not small, and the repercussions, including loss of trust, can be difficult to overcome. Of course, this isn’t to say patients shouldn’t be concerned about how their data is managed, but HIPAA-covered entities and business associates are subject to scrutiny, fines and penalties when they do not comply with regulatory requirements related to how our data is used, shared and managed.

Q. What does U.S. privacy law – HIPAA, HITECH, CCPA, etc. – say about data collection like the kind Meta and Google are doing? What about GDPR?

A. While HIPAA protects certain information, it does not protect all of the data about us. We are constantly disclosing data, whether through applications, our phones, using credit cards, browsing the web, making an airline reservation for a partner, or through any number of the many ways organizations may be accessing and acquiring our data.

Most of us have received dozens, if not more, notifications over the past few years that our data may have been accessed or breached. Some of these notifications are required by a rule or law, but not all. It’s difficult to keep up, and it’s even more difficult to know what, if anything, we should or could do about it.

Most, if not all, privacy and data protection laws, whether HIPAA, GDPR, CCPA or others, include similar requirements: provide appropriate privacy and security safeguards, provide individuals with certain rights related to their data and provide notification when there has been a breach.

Each regulation defines the type of information that must be protected, and there is often no overlap between data protected by one rule or law or another. The patchwork of privacy and breach notification laws requires organizations to understand all types of data maintained, received and transmitted, and to provide adequate protections around regulated data, and assess incidents when there may have been an improper use or disclosure.

Q. What are some privacy best practices for staff at healthcare providers, in a digital age where websites of all shapes and sizes are tracking users' online behavior?

A. Staff must receive appropriate training and education about how to protect and secure information. This training should include information about PHI, including the types of identifiers about patients, their relatives, employers or household members that could be used to identify patients.

For example, some of the information collected by Meta Pixel includes IP addresses; dates, times, and/or locations of scheduled appointments; proximity to an office or clinic; information about the provider; type of appointment or procedure, among others. While many will (accurately) assume names, addresses and phone numbers could be PHI, not all understand that IP addresses and dates, and times can also be PHI.

This particular issue highlights the importance that even those involved in designing the website, reviewing code and maintaining the organization’s social media sites receive regular and effective training and education.

From both a privacy and security perspective, this issue underscores the importance of performing an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of protected health information. This risk analysis will support the organization in reviewing risks and making certain business and operational decisions to either mitigate risk through controls or discontinue a particular practice.

As part of this analysis, organizations must consider whether and how access to data is being monitored and assessed. If your organization is not aware of how patient data may be used or disclosed, how will you assure patients that their data is being protected?

Q. How should employees be trained to keep their data – and perhaps that of patients – safe?

A. From an organizational perspective, training and education must be effective. That often means finding creative ways to encourage interaction and facilitate understanding. It’s important to understand that not only do we learn differently but employees need to fit training into their already busy schedules. Sometimes, this means creating training that is unique to specific staff/tasks and using a combination of training methods.

In addition, I always encourage friends, family and clients to be thoughtful about the applications and devices they plan to use – perform their mini, personal “risk analysis” – to have an informed idea of how their data could be used and disclosed to others (OCR has provided helpful guidance about protecting the privacy and security of personal data on personal devices as well). I believe that as we begin to think more critically about how our data is shared and monetized, we will be more likely to raise questions and creative solutions within our workplaces.

Q. In your experience, how aware are healthcare organizations of the ins and outs of how and what data can be shared with third parties, law enforcement, etc.?

A. While many organizations may have strong processes in place for routine disclosures (for example, sending prescription information to a patient’s pharmacy), I find that organizations have challenges operationalizing the less-routine disclosures.

While some hospitals may receive frequent requests from law enforcement, not all do, which may result in an unprepared or untrained staff member disclosing information improperly. On the other hand, larger hospitals may work with thousands of third-party vendors, and thus, may have difficulties understanding risks involving all vendors, while smaller clinics may disclose data to a much smaller group of vendors.

The ins and outs of data sharing can be very complicated, which is why I believe effective policies, procedures and training are vital to protecting both the organization and the patient. Training and education, based on roles and job descriptions, should equip each employee to understand whether, when and how data may be shared with others.

Q. These issues have added salience in a post-Dobbs world. What might this privacy landscape look like for reproductive health?

A. While the Dobbs decision has not changed how health information must be protected and secured under HIPAA, it has created substantial anxiety about how data could be used and shared, especially related to reproductive health data and possible state law enforcement actions. While we have certainly been desensitized in many ways over the years regarding the collection of our data, many of us are for the first time considering all of the downstream repercussions of sharing data.

Our phones and apps (and thus, the organizations designing, updating and operating those services) likely know more about our habits than we do. They store data about places we’ve been, people we’ve called and photos that we’ve taken after we have long forgotten about what we did that day. Each company may store a massive amount of data that could be used to prosecute someone seeking reproductive healthcare. For example, a law enforcement official in a state that bans abortion may issue a subpoena to a company for information about an individual’s web searches and geolocation data, to build a criminal case against that person.

This and similar concerns have created a sense of urgency about how to best protect data, and we have seen discussions about data protection escalate within state legislatures, as well as at the federal level. 

In addition, an Executive Order, issued this summer, directs HHS to consider actions and guidance to strengthen the security and privacy protections specifically related to reproductive healthcare. Organizations using, disclosing and maintaining health information should focus on the rules, laws and risks that currently apply, but they should also pay close attention to legislative discussions and enforcement actions.

We have seen a shift in priorities and expectations related to personal data over the past few years, and organizations will want to be in the best possible position to quickly address and manage new requirements and risks.

The HIMSS 2022 Healthcare Cybersecurity Forum takes place Dec. 5 and 6 at the Renaissance Boston Waterfront Hotel. Register here.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.