Updated September 2023 | Originally published November 2018
Class-action lawsuits fuel concerns over digital patient privacy
Hospitals, healthcare providers, and medical practices advertising on Facebook may be facing new legal worries.
Two lawsuits filed thus far in 2023 allege widespread violations of of state and federal privacy laws. In a class action suit filed in the U.S. District Court of the Northern District of California in February, five anonymous Facebook users allege that five healthcare facilities allowed Facebook’s online tracking tool to integrate with the facilities’ websites.
Ultimately, the suit alleges, the integration permitted protected health information (PHI) to be shared with Meta, Facebook’s parent company, and other third parties.
A second suit filed in August in the Western Washington District claims that the Facebook “pixel” – a snippet of code on a business’ website that tracks the actions of users who respond to ads on the social media website – essentially acts as a wiretap to capture patient information in online exchanges with doctors and other healthcare personnel.
Plaintiffs claim that when they log into their patient portal on their providers’ websites, the pixel transmits PHI to Meta. They say that Meta monetizes the information to its own financial gain in contravention of Meta’s own policies regarding use and collection of Facebook users’ data.
How Facebook user tracking works
Businesses that advertise on Facebook are offered the opportunity to use the pixel to track visitors to their websites coming from Facebook ads. The tracking yields valuable marketing data on advertising cost per visit.
Perhaps few businesses are aware of and fully understand the permission they implicitly grant to Facebook and its potential consequences. In our view, Facebook’s practices are posing increasing and unacceptable risks to patient privacy on several counts. We believe it’s time for taking substantial action.
If you advertise on Facebook, you provide a link to your website and subsequently generally agree (knowingly or not) to allow the Facebook pixel not only to track your website visitors but also which action the visitors take on the site, such as requesting an appointment online.
As part of our HIPAA (Health Insurance Portability and Accountability Act) compliance risk analysis, our team evaluated whether the use of the Facebook pixel and the new first party cookies could be considered a breach of HIPAA laws.
Facebook ads & HIPAA
Our HIPAA concerns were reinforced by a July 20, 2023, joint letter from the U.S. Department of Health and Human Service warning approximately 130 hospitals, health app developers, and telehealth providers about “serious privacy and security risks” of use of the tracking technology.
The risk of exposure does not end with Facebook. On December 22, 2022, Facebook agreed to pay $725 million to resolve a class-action lawsuit accusing the social media giant of allowing third parties to access users’ personal information. Lawyers for the plaintiffs called the proposed settlement the largest to ever be achieved in a U.S. data privacy class action.
Apart from voluntary sharing with third parties, on September 28, 2018, Facebook announced a breach of approximately 90 million Facebook accounts.
Given the history of third-party access to Facebook user data, our conclusion is that the risks of divulging what could be considered protected health information (PHI) outweighs the pixel’s tracking benefits, and healthcare providers should not allow the Facebook pixel on their websites.
We take HIPAA seriously, in part to avoid catastrophic fines to our clients’ healthcare practices and to our own firm. The law generally requires a BAA (Business Associate Agreement) before PHI may be shared by a medical practice or by any of its business associates, such as Vanguard Communications. The BAA requires associates to secure PHI just as robustly as a healthcare provider is obligated to.
However, the complexity of the law can be challenging to interpret in specific circumstances. In order to make a determination, we sought clarity on two vital questions:
- How confident are we that Facebook is willing and able protect sensitive information?
- How does Facebook accommodate the BAA requirement?
Facebook’s less-than-stellar security practices
The September 2018 Facebook breach involved security tokens, not passwords. Tokens allow an adversary to access someone else’s account, make changes to that account, view sensitive information, and more – without needing a password. Therefore, changing passwords after the breach had no security benefit – and Facebook’s 90 million affected users can take no proactive steps to mitigate the damage of the 2018 breach.
Unfortunately, Facebook users and business pages can only wait to learn of any damage to their account and then respond accordingly. For our team, this means we are on alert for Facebook issues and are actively monitoring our client accounts to ensure any issue is addressed immediately. Long term, this breach greatly lowers our confidence in Facebook’s ability to protect sensitive information.
To a certain extent, the Facebook breach is not surprising. For more than a decade, Facebook’s CEO Mark Zuckerberg has been rather dismissive toward privacy concerns. We also know the majority of HIPAA enforcement actions are the result of data breaches.
Facebook breach suggests a cavalier attitude toward privacy protections
If Facebook were to offer a BAA, Facebook would bear its own risk of breach of the Facebook pixel data. This would be a great protection and benefit to healthcare practices who use Facebook advertising and the tracking pixel.
Therefore, we asked Facebook if it offered a BAA.
At our request, a Facebook representative answered this question in writing: “Unfortunately, Facebook is not HIPPA [sic] compliant nor do we have a BAA.” Our additional conversations with Facebook confirmed that they uniquely identify individuals in their activity tracking.
Further, we also noticed that Facebook specifically disallows PHI in certain circumstances. And violation of Facebook terms can result in Facebook deleting the offending organization’s Facebook page altogether.
Conclusion for healthcare: Do not use Facebook advertising tracking pixels
In Facebook’s failure to satisfy our two vital questions, we strongly advise against healthcare practices using the Facebook pixel. Facebook does not currently provide a BAA, and their security record is inadequate.
Although there may be a tenuous argument that the Facebook pixel is HIPAA compliant, we’d much rather spare ourselves and our clients the risk that the United States Office of Civil Rights (OCR) disagrees. The OCR can levy monetary penalties well into the six and seven figures. Additionally, there is often little to no appeal or other due process offered to the accused.
Until Facebook takes the necessary steps to become HIPAA compliant, we not only advise all healthcare practices to disallow the use of the Facebook pixel, we also must respectfully decline to use the tracking pixel to manage clients’ ads, since we could be as liable to penalties as our clients.
Keeping Facebook ads HIPAA compliant
The good news is that we have managed Facebook ads long enough to feel confidence in our ability to maximize cost efficiencies without the pixel. In the end, we feel some loss of precision is a small price to pay for much greater comfort in knowing patient PHI is considerably safer without the pixel.