As advertising technology continues to evolve, it is becoming more common for website operators to utilize web trackers such as cookies, web beacons, tracking pixels and fingerprinting scripts to track and collect information from site users. Even health care providers may use certain web analytics tools to find out where visitors to their website come from, what they click on or how much time they spend on a certain webpage. However, some information disclosed by health care organizations to tracking technology vendors, such as Google and Facebook, may be protected health information (“PHI”) even if it does not include specific treatment information. Federal and state regulators and plaintiffs’ attorneys have taken notice of this issue and are opening investigations and filing claims that present potentially significant liability for health care organizations.
This issue was brought to light by an investigative report published by The Markup on June 16, 2022, reporting that health care organizations across the country may have installed a tracking tool owned by Meta (formerly Facebook) on their patient portals and other patient-facing websites. This tracking tool, known as the Meta Pixel, reportedly sends Facebook a packet of data related to the end-user accessing an organization’s website. Meta Pixel provides website owners certain analytics about the ads they have placed on Facebook and Instagram and, in some cases, may provide tools to target people who have visited the entity’s website. In order to provide this service, the Meta Pixel sends information to Facebook via scripts running in an end-user’s internet browser. Data packets contain an IP address that can potentially be used in combination with other data to identify an individual or household. Other end-user data collected that may be transmitted to Facebook reportedly include patient names, home and email addresses, medical record number, appointment information, prescription details and more.
Due to the technical nature of these website tracking technologies like the Meta Pixel, many health care organizations are unaware of the full scope and extent of information being collected and/or disclosed in the process of using such technologies. This puts health care organizations at risk of violating HIPAA and potentially other state and federal information privacy laws at a time when the number of active investigations relating to the use of such technologies is quickly rising. Regulators, including the United States Department of Health and Human Services Office for Civil Rights (“OCR”) and state attorneys general, have begun opening investigations into this issue. Additionally, class action lawsuits have recently been filed against health care organizations and third parties such as Meta related to the use of third-party tracking technologies on health care provider websites.
Practical Takeaways
Health care organizations utilizing the Meta Pixel or other third-party tracking technologies on any web pages should work with legal counsel to undertake a detailed forensic investigation to understand the scope and scale of the tracking technology implementation and determine whether or not a HIPAA violation may have occurred. Placement and configuration of Meta Pixel and other trackers are critical in determining what information is transmitted, and, therefore, a detailed forensic examination is recommended to ensure full understanding of the deployment and operation of the tracking technologies. In order to effectively assess the situation, health care providers should ask the following questions:
- Which websites, web pages and/or portals are using the Meta Pixel or other third-party tracking technologies?
- What information is being transmitted through the use of the Meta Pixel or other third-party tracking technologies on each site?
- Is there is a business associate agreement in place with Meta, other third-party tracking technology vendors or other vendors who may have assisted with implementing tracking, such as marketing firms?
If your organization is using the Meta Pixel or other third-party tracking technologies on your website, or is unsure whether it is, and would like to discuss next steps, we encourage you to reach out to:
- Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com;
- Melissa Markey at (248) 310-4876 or mmarkey@wp.hallrender.com;
- Cory Brennan at (317) 977-3614 or cbrennan@wp.hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
