BLOG

A bombshell news report was issued by The Markup on June 16 in their publication, Facebook Is Receiving Sensitive Medical Information from Hospital Websites.

Specifically, the report claims that healthcare organizations across the country have installed Meta Facebook’s Meta Pixel tracking tool on patient portals and other patient-facing websites. The Meta Pixel platform reportedly sends Facebook Protected Health Information (PHI) including patient names, IP addresses, names of doctors, appointment information, prescription details, and more for many of the nation’s hospitals.

In some cases, the integration with Facebook’s Meta Pixel tool has been introduced via a third-party platform, making Meta Pixel a fourth-party application.

Hospitals and other healthcare delivery organizations are scrambling to understand what this means for their organization from a HIPAA compliance, legal, vendor risk, and patient trust perspective. This blog post provides CORL’s perspective and analysis to answer some of the most pressing questions arising from this report including:

• Is it a HIPAA violation for hospitals or their vendors to share PHI with Meta / Facebook?
• What steps should healthcare providers take to assess the situation?
• What regulatory exposure do I have with OCR if my organization has implemented Meta Pixel tool?
• What legal exposure does my organization have related to our Meta Pixel implementation or the use of similar tracking tools?
• How have hospitals, covered entities, and vendors responded to this situation?

Note: this blog post does not represent legal advice or HIPAA regulatory guidance for any specific organization. Healthcare entities and vendors should engage legal counsel and other experts to review their specific situations and determine any related exposures and risks. This blog post is intended for general guidance and informational purposes only.

Is it a HIPAA violation for hospitals or their vendors to share PHI with Meta / Facebook?

Maybe. Hospitals and other healthcare providers, referred to as covered entities in the HIPAA world, routinely send large volumes of PHI to third parties for a wide variety of purposes. This practice is not a violation of HIPAA provided that certain conditions are met.

According to HIPAA, covered entities must have a signed Business Associate Agreement (BAA) or signed patient consent in order to share PHI with third-party vendors. For the sake of simplicity of our analysis, we are going to assume that the vast majority of healthcare providers do not have a signed consent model in place for the Facebook / Meta Pixel tool (can you imagine your healthcare provider explicitly asking you to share your PHI with Facebook?).

Covered entities should perform a review of their business associate inventory to determine if a BAA is established with Facebook that is aligned with the latest HIPAA/HITECH provisions.

If a BAA is in place with Facebook, then covered entities likely have more of a public relations and patient trust issue rather than a HIPAA violation to address. The reputational fallout of this situation should not be taken lightly. Even if the covered entity is protected legally by a BAA with Facebook, it may make sense to discontinue the use of this software and other tracking mechanisms from a patient engagement and relationship perspective alone.

If a BAA is not in place with Facebook, then covered entities may have a HIPAA regulatory compliance violation if they knowingly procured and implemented a website tracking application that includes functionality for capturing and transmitting PHI to a third-party vendor without the proper BAA contract or consent mechanism in place.

What steps should healthcare providers take to assess the situation?

If Facebook’s Meta Pixel has been deployed, then covered entities should commission an analysis with legal counsel and compliance teams to understand the scope and scale of the implementation to determine if a HIPAA violation has occurred.

The first step in the analysis should include what portals and websites are using the Meta Pixel tool. Those websites and portals should then be reviewed to determine what information including patient identifiers and other PHI are being transmitted to Facebook.

Covered entities should then determine whether or not a BAA is in place with Facebook and/or any related patient consent models.

The results of that analysis should dictate next steps, which may include public communications with the organization’s analysis and position, removal of tracking tools including Meta Pixel, changes to policies and privacy notifications, or public breach reporting to HHS if applicable. Examples of public communication responses from several healthcare entities are provided further down in this blog post.

Meta Pixel and Facebook tracking tools may only be the tip of the iceberg for some healthcare providers. CORL recommends conducting a thorough analysis of your business associate inventory to determine which third-party services and products are deployed in your environment and whether or not a BAA is in place.

CORL offers a Business Associate Inventory & Compliance Management service for inventorying existing BAs, identifying gaps and missing BAAs, and working with vendors to obtain all required signed paperwork. Contact us to learn more.

Covered entities should also conduct a review of any other patient portal and externally facing websites for third-party add-ons and trackers to see if there are other platforms that may present similar risks to the Facebook Meta Pixel tool.

If Facebook’s Meta Pixel technology was implemented by a third-party vendor, then healthcare organizations should follow the guidance from CORL for managing fourth-party cybersecurity and privacy incidents in the following publications:

• Blog – Mitigating Fourth-Party Cyber Risks in Healthcare
• Webinar – Fourth Party Vendor Risk Management & Incident Response

What regulatory exposure do I have with OCR if my organization has implemented Meta Pixel tool?

Covered entities could be subject to HIPAA enforcement fines and action from OCR if their legal teams have reviewed the Meta Pixel implementation and concurred that a HIPAA violation may be present.

OCR enforcement typically begins when one or more patients file a formal complaint with HHS. This triggers reviews that could lead to formal investigations from OCR. Such complaints are highly likely to be submitted to HHS as a result of this investigative report from The Markup.

OCR investigations may lead to an amicable resolution (i.e. OCR agrees that no violation has occurred), resolution agreements with financial multi-million dollar settlements, or could escalate to litigation and formal civil money penalties.

What legal exposure does my organization have related to our Meta Pixel implementation or the use of similar tracking tools?

Healthcare organizations could face legal damages and costs related to the Facebook Meta Pixel implementation even if HIPAA violations and OCR enforcement do not come into play. This is due to a rising trend in class action lawsuits against healthcare providers and their vendors for security and privacy breaches.

For example, Partners Healthcare System in Boston (now called Mass General Brigham) settled a class action lawsuit in 2019 by paying $18.4m and admitting to no wrongdoing in relation to their installation and use of Facebook’s Meta Pixel and other tracking tools on their website.

Whether or not the mounting volume of class action lawsuits have legal merit, they may still introduce legal defense and analysis costs related to the implementation of website tracking tools. It makes sense to do analysis now to understand the scope and scale of your particular implementation of Meta Pixel and similar platforms.

How have hospitals, covered entities, and vendors responded to this situation?

Several hospitals and vendors, mostly those names in the report from The Markup, have issued public statements about their usage of Facebook’s Meta Pixel tool and transmission of PHI. A compiled list of responses is available here, which have been summarized below into a handful of similar categories.

As with any cybersecurity or privacy-related incident response, it often matters more how an organization responds than the substance of the case. Historically, organizations that respond with transparency and detail tend to fare better and can actually end up enhancing rather than eroding trust with patients and the community. Conversely, organizations that respond with obfuscation, defensive language, or legal ease tend to experience erosions of trust with patients and business partners.

Here are some of the “types” of responses that have been issued thus far by healthcare entities related to the Facebook Meta Pixel situation:

Response Type #1 – “We are reviewing the situation”

This is a non-committal response used to buy time, but these organizations will likely have to issue a “real” response at some point in the coming weeks to provide more transparency into the situation. This response should be used if there is external pressure to respond but not enough of the facts are known. This type of response should be followed up within days with a more complete position.

Organizations that issued responses in this category thus far include Community Health Network and Sanford USD Medical Center.

Response Type #2 – "Facebook's Meta Pixel has been removed from our website"

This response is a step in the right direction that demonstrates that the organization takes this matter seriously and is taking concrete actions to protect patient privacy and security. We recommend that such a statement also includes some commentary about any reviews that will be conducted into Facebook tool as well as any other tracking tools used on the company website that could transmit PHI.

Organizations that issued responses in this category include Froedtert Hospital, Houston Methodist, and Novant Health.

Response Type #3 – “No PHI is disclosed through this portal” or “The use of this type of code was vetted and is referenced in our terms and conditions”

These responses may be technically accurate and legal but may be perceived by some patients as technical legal language that dodges the issue of perceived violations of privacy. The report from The Markup indicates that the Meta Pixel tool may transmit some PHI in “hashed” formats, which means it is technically not PHI but can be linked back to specific individuals by Facebook. There are also cases where the transmission of such information is permissible if a BAA is in place (see earlier commentary in this blog).

Being legally correct and within the boundaries of HIPAA does not necessarily mean that patients will let you off the hook for transmitting their PHI to Facebook.

We recommend that organizations that claim “no foul” follow up with more details about their analysis to ensure that patient trust is protected. We also recommend considering discontinuing the use of any tracking tools that provide PHI to third parties that are not critical to the operations of the business. The common sensibility of patients may not appreciate legal correctness over perceived abuses of trust and privacy.

Organizations that issued responses in this category include Henry Ford, Sharp Memorial, Northwestern Memorial, and University Hospitals Cleveland Medical Center.

Other Responses

Another notable response provided by one hospital that we recommend avoiding is (paraphrasing): “Our third-party vendor advised us to install the Facebook tool”.

The most prominent electronic healthcare vendor, Epic, also responded by saying that they "specifically recommend heightened caution around the use of custom analytics scripts". In other words, “this is not our fault, good luck”. This is likely the tact that other patient portal and website providers will take in response to this situation.

Conclusion

Ultimately, the culpability and responsibility for the implementation and usage of patient portal web tracking tools like Facebook’s Meta Pixel rests with covered entities. Covered entities that engage a third-party for any processing of PHI need to ensure that a thorough security and privacy risk assessment has been undertaken and BAA contracts have been put in place.

Covered entities must obtain a clear sense of what sensitive data including PHI is being transmitted prior to authorizing the release of data to third parties. This is a fundamental expectation of trust with patients and providers, one that perhaps too many hospitals and health delivery organizations are failing to address when it comes to sharing large volumes of PHI with third-party vendors.

CORL will continue to monitor the situation as it evolves and provide further guidance along the way. Reach out to our vendor risk and HIPAA experts for consultation if you have any questions about how the disclosure of Facebook’s access to PHI may impact your organization.