Many hospital websites have a tracking tool that sends sensitive medical information to Facebook when people schedule appointments, according to an investigation by the layout† Experts say the hospitals using the tool may be violating medical privacy law, the Health Insurance Portability and Accountability Act, or HIPAA.
the layout found that 33 of the top 100 hospitals in the United States used a tracker called the Meta Pixel on their websites. Installing the Meta Pixel gives groups access to analytics about Facebook and Instagram ads, but also tracks how people use their websites: the buttons they click, the information they put in forms, and so on.
On hospital websites, that may contain sensitive health information linked to a patient’s IP address. On a hospital website, by clicking the schedule button, Facebook sent a doctor’s name and the condition — “Alzheimer’s” — for which the appointment was scheduled.
In seven healthcare systems, the Meta Pixel was installed in patient portals, requiring a login and recording detailed health records. the layout found that Facebook was getting information about a patient’s name and time of appointment and another’s allergic reactions to specific drugs.
Under HIPAA, hospitals are not allowed to share identifiable health information with third parties without patient consent. They can (and often do) use and share anonymized data. But information associated with an IP address can classify data as: identifiable health information, which provides additional protection. “Even if there might be something in the legal architecture that makes this legal, it’s totally beyond expectations of what patients think the health privacy laws are doing for them,” Glenn Cohen, faculty director of the Petrie-Flom Center for Harvard Law School for Health Law Policy , biotechnology and bioethics, told the layout†
A Meta spokesperson told the layout that Facebook has filters that detect and remove sensitive health data sent by companies. It is not clear whether or not the data sent by hospital websites was captured by those filters. But the filters don’t always work as described. Another investigation from the layout found that details about people seeking information about abortion or emergency contraceptives (which should not be sent to Facebook) made their way onto the platform.
Seven hospitals have removed the Meta Pixel from their websites following findings of the layout, just like at least five of the hospitals with the tracker in their patient portal.