Partnerships between big tech and health care can be profitable but jeopardize patient privacy.
Companies like Meta and Google use pixel trackers to gather personal information about individuals who visit websites and log in to patient portals. The tech companies then sell the personal information to others who use it to market products and services to those patients. Millions of patients have been affected and Meta is facing multiple class action lawsuits for breach of privacy. The healthcare providers who allow pixel trackers in their networks may be violating HIPAA.
Healthcare providers enter agreements with companies like Meta and Google in exchange for analytics about the ads that the providers place on Facebook, Instagram and other internet sites. A study co-published by STAT and The Markup in June, 2022 found that 33 of the top 100 hospital sites had installed a Meta pixel tracker which was sending patient data to Facebook when people scheduled appointments. The data included IP addresses, physicians’ names and search terms used to find the physician.
The Markup report describes the vast and surprising reach of the pixel trackers, and how hidden they are from consumers. The trackers are embedded in the main website, scheduling platforms and password protected patient portals like MyChart. A number of the hospitals removed the pixel trackers after being contacted by The Markup.
Potential HIPAA Violations
OCR Advice About Pixel Trackers
Following at least four major stories about patient data being transmitted to Meta or Google through the use of pixel trackers the HHS Office for Civil Rights (OCR) last week issued a bulletin explaining the risks for covered entities and business associates, with advice about what to do.
The healthcare providers in the news include:
- Novant Health, 1.3 million patients, used Meta pixel trackers
- WakeMed Health and Hospitals, unspecified number of patients, used Meta pixel trackers
- Advocate Aurora Health, 3 million patients, used Google and Meta pixel trackers
- Community Health Network, 1.5 million, used Google and Meta pixel trackers
In its bulletin OCR noted that covered entities and business associates need to pay close attention to their obligations under HIPAA.
“For example, if an individual makes an appointment through the website of a covered health clinic for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor,”
OCR explains that in this case, the tracking technology vendor is a business associate and a Business Associate Agreement (BAA) is required.
OCR clarified that whether the tracking tech is present on user-authenticated or unauthenticated webpages, if protected health information (PHI) is involved, HIPAA rules apply. When it comes to mobile apps, OCR noted that apps offered by regulated entities are covered by HIPAA. However, HIPAA rules do not protect information that users voluntarily provide to mobile apps that are not developed or offered by covered entities.
OCR encouraged covered entities to confirm whether disclosures of PHI to tracking technology vendors are specifically permitted by the HIPAA Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed. OCR noted that:
“it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.”
and,
“Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”
OCR also emphasizes that a thorough HIPAA Risk Analysis is essential to balance the consumer benefit and the risks from technology by having clear disclosures about what PHI is being used, accessed, or shared.
Finally, OCR reminded covered entities to provide breach notifications to HHS in the event that the use of tracking tech leads to an impermissible disclosure of PHI.
Beyond HIPAA the Lawsuits are Mounting
Today, internet searches of the above-named pixel tracker disclosures reveals plaintiffs’ attorneys advertising for patients to join a class action lawsuit. Meta is already facing multiple health privacy breach lawsuits. Although so far the lawsuits are targeting big tech, healthcare providers may also end up in court, depending on the fact situation. Are the providers doing enough to keep PHI private and secure?
Follow HIPAA to Protect Patient Privacy
Whether facing an OCR investigation or a private lawsuit, the best defense is a strong HIPAA compliance program. Review your agreements with internet technology companies like Meta and Google, evaluate whether you have business associates receiving or transmitting PHI, and conduct due diligence with those business associates. Finally, review and refresh your HIPAA Risk Analysis to make sure you understand how your PHI is being protected, and what more might be done to keep it secure.