Use of Tracker by Hospitals Likely Violates HIPAA

Facebook Tracker Collecting PHI

An investigation by The Markup and Stat has uncovered a tracking tool used by 33 of the country’s top 100 hospitals that collects patients’ protected health information (PHI) and sends it to Facebook—including details about medical conditions, prescriptions, and physician appointments.

Experts contacted in the article, including a former head of HIPAA enforcement for the Department of Health and Human Services, Office for Civil Rights expressed concern about the legality of the data transfer without patient authorization.

“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”

The investigation also uncovered the Meta Pixel tracker installed on the patient portals of seven medical systems and documented patient data being transmitted by the tracker on five of the seven.

Given the widespread use of Facebook, it is fair to ask how many covered entities and business associates may have the tracker installed in a similar manner?

Facebook Is Receiving Sensitive Medical Information from Hospital Websites

Experts say some hospitals’ use of an ad tracking tool may violate a federal law protecting health information

By: Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu

Originally published on themarkup.org

A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.

The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.

On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: “pregnancy termination.”

Clicking the “Schedule Online Now” button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the condition we selected from a dropdown menu: “Alzheimer’s.”

The Markup also found the Meta Pixel installed inside the password-protected patient portals of seven health systems. On five of those systems’ pages, we documented the pixel sending Facebook data about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project is a crowd-sourced undertaking in which anyone can install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appears on sites that they visit. The data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.

Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.

“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”

University Hospitals Cleveland Medical Center spokesperson George Stamatis did not respond to The Markup’s questions but said in a brief statement that the hospital “comport[s] with all applicable federal and state laws and regulatory requirements.”

After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “out of an abundance of caution,” Steve Schooff, a spokesperson for the hospital, wrote in a statement.

As of June 15, six other hospitals had also removed pixels from their appointment booking pages and at least five of the seven health systems that had Meta Pixels installed in their patient portals had removed those pixels.

The 33 hospitals The Markup found sending patient appointment details to Facebook collectively reported more than 26 million patient admissions and outpatient visits in 2020, according to the most recent data available from the American Hospital Association. Our investigation was limited to just over 100 hospitals; the data sharing likely affects many more patients and institutions than we identified.

Facebook itself is not subject to HIPAA, but the experts interviewed for this story expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.

“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and health care. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.

The Markup was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways.

Facebook’s parent company, Meta, did not respond to questions. Instead, spokesperson Dale Hogan sent a brief email paraphrasing the company’s sensitive health data policy.

“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems,” Hogan wrote.

Meta did not respond to follow-up questions, but Hogan appears to be referencing a sensitive health information filtering system that the company launched in July 2020 in response to a Wall Street Journal article and New York Department of Financial Services investigation. Meta told the investigators that the filtering system was “not yet operating with complete accuracy,” according to the department’s February 2021 final report.

The Markup was unable to confirm whether any of the data referenced in this story was in fact removed before being stored by Meta. However, a recent joint investigation with Reveal found that Meta’s sensitive health information filtering system didn’t block information about appointments a reporter requested with crisis pregnancy centers.

Internally, Facebook employees have been blunt about how well—or not so well—the company generally protects sensitive data.

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ ” Facebook engineers on the ad and business product team wrote in a 2021 privacy overview that was leaked to Vice.

“Almost Any Patient Would Be Shocked”

The Meta Pixel is a snippet of code that tracks users as they navigate through a website, logging which pages they visit, which buttons they click, and certain information they enter into forms. It’s one of the most prolific tracking tools on the internet—present on more than 30 percent of the most popular sites on the web, according to The Markup’s analysis.

In exchange for installing its pixel, Meta provides website owners analytics about the ads they’ve placed on Facebook and Instagram and tools to target people who’ve visited their website.

The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household.

HIPAA lists IP addresses as one of the 18 identifiers that, when linked to information about a person’s health conditions, care, or payment, can qualify the data as protected health information. Unlike anonymized or aggregate health data, hospitals can’t share protected health information with third parties except under the strict terms of business associate agreements that restrict how the data can be used.

In addition, if a patient is logged in to Facebook when they visit a hospital’s website where a Meta Pixel is installed, some browsers will attach third-party cookies—another tracking mechanism—that allow Meta to link pixel data to specific Facebook accounts.

And in several cases we found—using both dummy accounts created by our reporters and data from Mozilla Rally volunteers—that the Meta Pixel made it even easier to identify patients.

When The Markup clicked the “Finish Booking” button on a Scripps Memorial Hospital doctor’s page, the pixel sent Facebook not just the name of the doctor and her field of medicine but also the first name, last name, email address, phone number, zip code, and city of residence we entered into the booking form.

The Meta Pixel “hashed” those personal details—obscuring them through a form of cryptography—before sending them to Facebook. But that hashing doesn’t prevent Facebook from using the data. In fact, Meta explicitly uses the hashed information to link pixel data to Facebook profiles.

Using a free online tool, The Markup was also able to reverse most of our hashed test information that the pixel on Scripps Memorial Hospital’s website sent to Facebook.

Scripps Memorial didn’t respond to The Markup’s questions but it did remove the Meta Pixel from the final webpages in the appointment booking process after we shared our findings with the hospital.

On other hospitals’ websites, we documented the Meta Pixel collecting similarly intimate information about real patients.

When one real patient who participated in the Pixel Hunt study logged in to the MyChart portal for Piedmont Healthcare, a Georgia health system, the Meta Pixel installed in the portal told Facebook the patient’s name, the name of their doctor, and the time of their upcoming appointment, according to data collected by the participant’s Mozilla Rally browser extension.

When another Pixel Hunt participant used the MyChart portal for Novant Health, a North Carolina–based health system, the pixel told Facebook the type of allergic reaction the patient had to a specific medication.

The Markup created our own MyChart account through Novant Health to further investigate and found the Meta Pixel collecting a variety of other sensitive information.

Clicking on one button prompted the pixel to tell Facebook the name and dosage of a medication in our health record, as well as any notes we had entered about the prescription. The pixel also told Facebook which button we clicked in response to a question about sexual orientation.

“Our Meta pixel placement is guided by a third party vendor and it has been removed while we continue to look into this matter,” Novant spokesperson Megan Rivers wrote in an email.

Epic Systems, the software company behind MyChart, has “specifically recommended heightened caution around the use of custom analytics scripts,” Stirling Martin, a senior vice president for the company, wrote in an email.

Facebook is able to infer intimate details about people’s health conditions using other means—for example, the fact that a person “liked” a Facebook group associated with a particular disease—but the data collected by pixels on hospitals’ websites is more direct. And in sharing it with Facebook, experts said, health care providers risk damaging patients’ trust in an increasingly digitized health system.

“Almost any patient would be shocked to find out that Facebook is being provided an easy way to associate their prescriptions with their name,” said Glenn Cohen, faculty director of Harvard Law School’s Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics. “Even if perhaps there’s something in the legal architecture that permits this to be lawful, it’s totally outside the expectations of what patients think the health privacy laws are doing for them.”

Legal Implications

Facebook’s data collection on hospital websites has been the subject of class action lawsuits in several states, with mixed results.

Those cases involve types of data that health law experts said are sensitive but less regulated than the health information The Markup documented the Meta Pixel collecting.

In 2016, a group of plaintiffs sued Facebook and a handful of health systems and organizations, alleging that the organizations had breached their own privacy policies and several state and federal laws—including wiretapping and intrusion on seclusion statutes—by collecting data via tracking technology on the health care providers’ websites.

The U.S. District Court for the Northern District of California dismissed that case in 2017 for a variety of reasons, including that the plaintiffs failed to prove that Facebook had collected “protected health information,” as defined by HIPAA. Rather, the court found, Facebook had tracked plaintiffs on public-facing pages of the websites—such as the homepage or informational pages about diseases—where there was no evidence that the plaintiffs had established a patient relationship with the provider.

In 2019, plaintiffs brought a similar class action lawsuit in Suffolk County Superior Court against Massachusetts-based Partners Healthcare System, which has since changed its name to Mass General Brigham, alleging that the sys