In response to a number of lawsuits alleging that its Meta Pixel tracking tool violates HIPAA, Meta has claimed that the hospitals that use the tool are the liable parties, not Meta.
What is the Meta Pixel?
The Meta Pixel is a piece of JavaScript code that can be used by website owners to track user activity, such as what pages they visit and what buttons they click. The code can also collect information about the user's device, such as their IP address and browser type.
What happened
In June 2022, a report by The Markup found that the Meta Pixel was being used on the websites of hundreds of hospitals across the United States. The report found that the code was collecting patient data, including their names, medical conditions, and appointment dates. The report also found that the data was being sent to Facebook, even though hospitals are not allowed to share patient data with third-party companies without their consent.
The report sparked several lawsuits against Meta, including one filed by the American Civil Liberties Union (ACLU). The ACLU lawsuit alleges that Meta's use of the Meta Pixel violates the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of patient health information.
Meta has defended its use of the Meta Pixel, saying that it is used to help hospitals track the effectiveness of their marketing campaigns. The company has also said that it has taken steps to protect patient privacy, such as encrypting the data that is collected and only allowing hospitals to collect data that is necessary for marketing purposes.
However, the lawsuits against Meta continue, and it is unclear how the company will be able to resolve the matter. The scandal has raised concerns about the privacy of patient data, and it has also put pressure on Meta to change its privacy practices.
Meta's response
In response to the lawsuits, Meta has claimed that the hospitals that use the Meta Pixel are the liable parties, not Meta. Meta has argued that the hospitals are the ones who are responsible for obtaining patient consent before sharing their data with third-party companies. Meta has also argued that the hospitals are the ones who are responsible for ensuring that their websites are HIPAA compliant.
In a motion to dismiss filed Monday, May 8, 2023, Meta stated, "While Meta provides instructions on how to install the Pixel, developers decide whether, how, where, and when to use it. To use the Pixel, developers must agree not to 'share Business Tool Data . . . that [they] know or reasonably should know... includes health, financial information or other categories of sensitive information (including any information defined as sensitive under applicable laws, regulations and applicable industry guidelines).'"
Meta Pixel and HIPAA regulations
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of patient health information. HIPAA sets forth requirements for covered entities, which are healthcare providers that conduct certain electronic transactions in connection with healthcare.
One of the key requirements of HIPAA is that covered entities must obtain patient consent before sharing their PHI with third-party companies. The Meta Pixel scandal raises the question of whether Meta violated HIPAA by collecting patient data from hospitals without their consent.
There is no clear answer to this question. The HIPAA Privacy Rule does not explicitly address the use of tracking technologies, such as the Meta Pixel. However, the rule does state that covered entities must take reasonable steps to protect the confidentiality of PHI.
It is possible that a court could find that Meta's use of the Meta Pixel violated HIPAA. The court would likely consider many factors, including the nature of the collected data, the steps that Meta took to protect the data, and the potential for harm to patients.
HIPAA and service providers
Even if a service provider is not a business associate, they may still be liable for ensuring that PHI is handled according to HIPAA regulations. This is because the HIPAA Privacy Rule imposes requirements on all entities with access to PHI, regardless of whether they are business associates.
For example, the Privacy Rule requires all entities with access to PHI to implement appropriate security measures to protect the information's confidentiality, integrity, and availability. The Privacy Rule also requires all entities with access to PHI to take reasonable steps to prevent the unauthorized access, use, disclosure, or destruction of the information. If a service provider is not a business associate and fails to comply with these requirements, it may be liable for HIPAA violations.
Similarly, if a covered entity fails to ensure that its PHI is only shared with business associates who have signed a BAA, it may be liable for HIPAA violations.
Related: HIPAA Compliant Email: The Definitive Guide
Potential impact of the Meta Pixel scandal on patient privacy
The Meta Pixel scandal has the potential to have a significant impact on patient privacy. The scandal has raised awareness of the issue of patient data privacy, putting pressure on healthcare providers and technology companies to take steps to protect patient data.
The scandal has also led to calls for reform of HIPAA. Some experts argue that HIPAA is outdated and does not adequately protect patient data. They say that HIPAA should be updated to include specific provisions governing the use of tracking technologies.
It is too early to say what the long-term impact of the Meta Pixel scandal will be. However, it is clear that the scandal has significantly impacted patient privacy and has led to calls for reform of HIPAA.
What's next:
The lawsuits against Meta are still pending, and how they will be resolved is unclear. However, the case has raised important questions about the privacy of patient data and the role that technology companies play in protecting that data.
The Meta Pixel scandal is a reminder of the importance of patient privacy. It is also a reminder that companies like Meta must be more careful about collecting and using personal data.
Go deeper:
Dean Levitt
