Summary
Cyber threats are constantly evolving, especially in the healthcare arena. Proactive strategies can help reduce exposure and limit liability. Glean insight into how Meta Pixels can inadvertently share protected health information and what you can do to better protect your organization from this risk.
A pixel is embedded code within a website that tracks user behavior, including searches and viewed pages. By monitoring website traffic with pixels, marketing teams can glean important feedback as to how their website is being utilized, as well as information on user demographics, interests, and trends.
Meta Pixel is a specific pixel type. It tracks and collects user-entered data (for example, information provided within a patient portal) and then shares it with Instagram and Facebook, enabling targeted digital advertising to appear in user profiles. Meta Pixel is typically added to an organization’s website either manually or through a partner integration. Approximately one-third of U.S. hospital websites use Meta Pixel to track user activity, including in patient portals and on appointment scheduling pages.
By sending website user information to third parties, healthcare organizations may be inadvertently sharing protected health information (PHI) and subjecting themselves to liability under state and federal law. Since June 2022, more than 30 class action lawsuits have been filed against healthcare organizations asserting state statutory, contract, and tort claims based on the unauthorized sharing of PHI collected through Meta Pixel use.
Unauthorized PHI disclosure may also violate HIPAA, which may result in fines and penalties. A recent class action against a healthcare organization alleging unauthorized PHI disclosure, in part due to Meta Pixel, resulted in an $18 million settlement. Because potential exposure may be significant, proactive risk management strategies must be implemented immediately.
Risk Recommendations
Copyrighted. No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.
Meta Pixel is a specific pixel type. It tracks and collects user-entered data (for example, information provided within a patient portal) and then shares it with Instagram and Facebook, enabling targeted digital advertising to appear in user profiles. Meta Pixel is typically added to an organization’s website either manually or through a partner integration. Approximately one-third of U.S. hospital websites use Meta Pixel to track user activity, including in patient portals and on appointment scheduling pages.
By sending website user information to third parties, healthcare organizations may be inadvertently sharing protected health information (PHI) and subjecting themselves to liability under state and federal law. Since June 2022, more than 30 class action lawsuits have been filed against healthcare organizations asserting state statutory, contract, and tort claims based on the unauthorized sharing of PHI collected through Meta Pixel use.
Unauthorized PHI disclosure may also violate HIPAA, which may result in fines and penalties. A recent class action against a healthcare organization alleging unauthorized PHI disclosure, in part due to Meta Pixel, resulted in an $18 million settlement. Because potential exposure may be significant, proactive risk management strategies must be implemented immediately.
Risk Recommendations
- Know the law. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a bulletin to clarify a healthcare organization’s obligations under HIPAA when using tracking technologies like pixels. According to the OCR, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosure of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
- Determine if Meta Pixel is in use. If you are unsure if pixels are embedded in your website and/or patient portal, a tracking tool such as https://themarkup.org/blacklight can help check. Identify any specific forms or pages on your company websites that contain Meta Pixel.
- Remove Meta Pixel. Work with your Information Technology (IT) department to remove Meta Pixel, whether it has been hardcoded on your website or added via plugin, direct website, or partner integration.
- Reevaluate your marketing efforts. Work with your IT, Legal, Risk, and Marketing departments to determine what technology your organization uses and how it collects, uses, and retains user data. If you decide to use pixels, work with a compliance attorney to ensure that your marketing and data collection efforts are consistent with federal and state privacy laws. Work with your insurance broker or agent to reevaluate your cyber liability insurance needs.
Copyrighted. No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.