Updated September 2023 | Originally published November 2018
Class-action lawsuits fuel concerns over digital patient privacy
Hospitals, healthcare providers, and medical practices advertising on Facebook may be facing new legal worries.
Two lawsuits filed thus far in 2023 allege widespread violations of of state and federal privacy laws. In a filed in the U.S. District Court of the Northern District of California in February, five anonymous Facebook users allege that five healthcare facilities allowed Facebook’s online tracking tool to integrate with the facilities’ websites.
Ultimately, the suit alleges, the integration permitted protected health information (PHI) to be shared with Meta, Facebook’s parent company, and other third parties.
A filed in August in the Western Washington District claims that the Facebook “pixel” 鈥� a snippet of code on a business鈥� website that tracks the actions of users who respond to ads on the social media website 鈥� essentially acts as a wiretap to capture patient information in online exchanges with doctors and other healthcare personnel.
Plaintiffs claim that when they log into their patient portal on their providers’ websites, the pixel transmits PHI to Meta. They say that Meta monetizes the information to its own financial gain in contravention of Meta鈥檚 own policies regarding use and collection of Facebook users鈥� data.
How Facebook user tracking works
Businesses that advertise on Facebook are offered the opportunity to use the pixel to track visitors to their websites coming from Facebook ads. The tracking yields valuable marketing data on advertising cost per visit.
Perhaps few businesses are aware of and fully understand the permission they implicitly grant to Facebook and its potential consequences. In our view, Facebook鈥檚 practices are posing increasing and unacceptable risks to patient privacy on several counts. We believe it鈥檚 time for taking substantial action.
If you advertise on Facebook, you provide a link to your website and subsequently generally agree (knowingly or not) to allow the Facebook pixel not only to track your website visitors but also which action the visitors take on the site, such as requesting an appointment online.
As part of our HIPAA (Health Insurance Portability and Accountability Act) compliance risk analysis, our team evaluated whether the use of the Facebook pixel and the new first party cookies could be considered a breach of HIPAA laws.
Facebook ads & HIPAA
Our HIPAA concerns were reinforced by a July 20, 2023, from the U.S. Department of Health and Human Service warning approximately 130 hospitals, health app developers, and telehealth providers about “serious privacy and security risks” of use of the tracking technology.
The risk of exposure does not end with Facebook. On December 22, 2022, to resolve a class-action lawsuit accusing the social media giant of allowing third parties to access users’ personal information. Lawyers for the plaintiffs called the proposed settlement the largest to ever be achieved in a U.S. data privacy class action.
Apart from voluntary sharing with third parties, on September 28, 2018, Facebook announced a.
Given the history of third-party access to Facebook user data, our conclusion is that the risks of divulging what could be considered protected health information (PHI) outweighs the pixel鈥檚 tracking benefits, and healthcare providers should not allow the Facebook pixel on their websites.
We take HIPAA seriously, in part to avoid catastrophic fines to our clients鈥� healthcare practices and to our own firm. The law generally requires a BAA () before PHI may be shared by a medical practice or by any of its business associates, such as 乐鱼体育 Communications. The BAA requires associates to secure PHI just as robustly as a healthcare provider is obligated to.
However, the complexity of the law can be challenging to interpret in specific circumstances. 聽In order to make a determination, we sought clarity on two vital questions:
- How confident are we that Facebook is willing and able protect sensitive information?
- How does Facebook accommodate the BAA requirement?
Facebook鈥檚 less-than-stellar security practices
The September 2018 Facebook breach involved security tokens, not passwords. Tokens allow an adversary to access someone else鈥檚 account, make changes to that account, view sensitive information, and more 鈥� without needing a password. Therefore, changing passwords after the breach had no security benefit 鈥� and Facebook鈥檚 90 million affected users can take no proactive steps to mitigate the damage of the 2018 breach.
Unfortunately, Facebook users and business pages can only wait to learn of any damage to their account and then respond accordingly. For our team, this means we are on alert for Facebook issues and are actively monitoring our client accounts to ensure any issue is addressed immediately. Long term, this breach greatly lowers our confidence in Facebook鈥檚 ability to protect sensitive information.
To a certain extent, the Facebook breach is not surprising. For more than a decade, Facebook鈥檚 CEO concerns. We also know the .
Facebook breach suggests a cavalier attitude toward privacy protections
If Facebook were to offer a BAA, Facebook would bear its own risk of breach of the Facebook pixel data. This would be a great protection and benefit to healthcare practices who use Facebook advertising and the tracking pixel.
Therefore, we asked Facebook if it offered a BAA.
At our request, a Facebook representative answered this question in writing: 鈥淯nfortunately, Facebook is not HIPPA [sic] compliant nor do we have a BAA.鈥� Our additional conversations with Facebook confirmed that they uniquely identify individuals in their activity tracking.
Further, we also noticed that in certain circumstances. And violation of Facebook terms can result in Facebook deleting the offending organization鈥檚 Facebook page altogether.
Conclusion for healthcare: Do not use Facebook advertising tracking pixels
In Facebook鈥檚 failure to satisfy our two vital questions, we strongly advise against healthcare practices using the Facebook pixel. Facebook does not currently provide a BAA, and their security record is inadequate.
Although there may be a tenuous argument that the Facebook pixel is HIPAA compliant, we鈥檇 much rather spare ourselves and our clients the risk that the United States Office of Civil Rights (OCR) disagrees. The OCR can levy monetary penalties well into the six and seven figures. Additionally, there is often little to no appeal or other due process offered to the accused.
Until Facebook takes the necessary steps to become HIPAA compliant, we not only advise all healthcare practices to disallow the use of the Facebook pixel, we also must respectfully decline to use the tracking pixel to manage clients鈥� ads, since we could be as liable to penalties as our clients.
Keeping Facebook ads HIPAA compliant
The good news is that we have managed Facebook ads long enough to feel confidence in our ability to maximize cost efficiencies without the pixel. In the end, we feel some loss of precision is a small price to pay for much greater comfort in knowing patient PHI is considerably safer without the pixel.