A cancer patient logged in to her healthcare provider’s patient portal to confirm an appointment and update her pharmacy information. The following day she began to see new ads for cancer treatments on her personal Facebook page. But she had not authorized her provider to share her information, so what happened?
A huge class action lawsuit was recently filed against Facebook’s parent company, Meta, in California, and hundreds of healthcare providers may get drawn in. John Doe vs. Meta Platforms, Inc. was filed June 17, 2022 in Federal District Court of the Northern District of California.
Five years ago a similar lawsuit was filed against Facebook. That case, Smith et al vs. Facebook, was dismissed however, because the court held plaintiffs were barred from suing Facebook because they agreed to be bound by Facebook contract terms. The new lawsuit (with the same legal team) is designed to overcome that challenge and launches a direct assault on new contract terms fashioned by Facebook’s parent, Meta.
Meta is Deep into Patient Privacy
Meta offers its business customers an inside detailed view of visitors to the business’s website. Meta has a piece of code that its customers can install on their own websites that delivers granular information about website visitors. The problem is that healthcare organizations partnering with Facebook that use this feature are disclosing protected health information (PHI) in violation of HIPAA. And Facebook is allegedly violating its own contracts with customers, federal and state electronic communications privacy and wiretap laws, and state consumer protection and privacy laws.
From Meta’s own website:
“The Meta pixel a snippet of JavaScript code that loads a small library of functions you can use to track Facebook ad-driven visitor activity on your website. It relies on Facebook cookies, which enable us to match your website visitors to their respective Facebook User accounts.”
The new class action lawsuit was filed against Meta by “John Doe”, described as a patient of healthcare system Medstar in Maryland, alleging that Facebook is unlawfully collecting patient information – without individuals’ consent – from the patient portals and related websites of Medstar and at least 663 other medical providers in the U.S. that have deployed the Meta pixel code on their web properties. Millions of patients across the U.S. have been affected by the Meta pixel.
The complaint alleges:
“When a patient communicates with a health care provider’s website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient’s communication with their health care provider to be re-directed to Facebook in a fashion that identifies them as a patient.”
The complaint goes on to explain that Facebook is then making money by selling ads to businesses that specifically target patients and their interests and needs, based on their website (or patient portal) activity.
Marketing Companies Often Overlook HIPAA
At the heart of the problem for health care providers is that their marketing and patient engagement strategies are fashioned by advertising and marketing consultants without oversight from HIPAA compliance professionals.
Use caution when setting up marketing campaigns in healthcare. A good rule is simply to not use targeted advertising through a social media platform like Facebook, Instagram or TikTok. Without a HIPAA authorization from all of your patients, specific to the situation, you can find yourself in violation of HIPAA and subject to steep fines. If you currently use Facebook this way, expect to hear more about it as the case proceeds, because discovery could be eye-opening and embarrassing for Meta’s medical provider partners.