An issue with Facebook ads calls for increased scrutiny & careful handling
Businesses that advertise on Facebook – including medical practices – are offered the opportunity to use the “Facebook pixel,” a snippet of code on a business’ website that tracks the actions of users who respond to ads on the social media website. Perhaps few businesses are aware of and fully understand the permission they implicitly grant and its potential consequences.
Nonetheless, in our view, Facebook’s practices are posing increasing and unacceptable risks to patient privacy on several counts. We believe it’s time for taking substantial action.
Here’s how Facebook user tracking works
If you advertise on Facebook, you provide a link to your website and subsequently generally agree (knowingly or not) to allow Facebook to track your website visitors with its pixel. The pixel is merely a bit of computer code that reports back to Facebook when someone visits your website from its ad and takes an action on your site, such as requesting an appointment online.
This helps marketers track customer actions directly from Facebook ads and thus better manage the ads for great cost efficiency. However, as part of our HIPAA (Health Insurance Portability and Accountability Act) compliance risk analysis, our team recently evaluated whether the use of the Facebook pixel and the new first party cookies could be considered a breach of HIPAA laws.
Facebook ads & HIPAA
On September 28, 2018, our HIPAA concerns were reinforced by Facebook’s announced breach of approximately 90 million accounts.
Our conclusion is that the risks of divulging what could be considered protected health information (PHI) outweighs the pixel’s tracking benefits, and healthcare providers should not allow the Facebook pixel on their websites.
We take HIPAA seriously, in part to avoid catastrophic fines to our clients’ healthcare practices and to our own firm. The law generally requires a BAA (Business Associate Agreement) before PHI may be shared by a medical practice or by any of its business associates, such as Vanguard Communications. The BAA requires associates to secure PHI just as robustly as a healthcare provider is obligated to.
However, the complexity of the law can be challenging to interpret in specific circumstances. In order to make a determination, we sought clarity on two vital questions:
- How confident are we that Facebook is willing and able protect sensitive information?
- How does Facebook accommodate the BAA requirement?
Facebook’s less-than-stellar security practices
The September 2018 Facebook breach involved security tokens, not passwords. Tokens allow an adversary to access someone else’s account, make changes to that account, view sensitive information, and more – without needing a password. Therefore, changing passwords after the breach had no security benefit – and Facebook’s 90 million affected users can take no proactive steps to mitigate the damage of the 2018 breach.
Unfortunately, Facebook users and business pages can only wait to learn of any damage to their account and then respond accordingly. For our team, this means we are on alert for Facebook issues and are actively monitoring our client accounts to ensure any issue is addressed immediately. Long term, this breach greatly lowers our confidence in Facebook’s ability to protect sensitive information.
To a certain extent, the Facebook breach is not surprising. For more than a decade, Facebook’s CEO Mark Zuckerberg has been rather dismissive toward privacy concerns. We also know the majority of HIPAA enforcement actions are the result of data breaches.
Facebook breach suggests a cavalier attitude toward privacy protections
If Facebook were to offer a BAA, Facebook would bear its own risk of breach of the Facebook pixel data. This would be a great protection and benefit to healthcare practices who use Facebook advertising and the tracking pixel.
Therefore, we asked Facebook if it offered a BAA.
At our request, a Facebook representative answered this question in writing: “Unfortunately, Facebook is not HIPPA [sic] compliant nor do we have a BAA.” Our additional conversations with Facebook confirmed that they uniquely identify individuals in their activity tracking.
Further, we also noticed that Facebook specifically disallows PHI in certain circumstances. And violation of Facebook terms can result in Facebook deleting the offending organization’s Facebook page altogether.
Conclusion for healthcare: Do not use Facebook advertising tracking pixels
In Facebook’s failure to satisfy our two vital questions, we strongly advise against healthcare practices using the Facebook pixel. Facebook does not currently provide a BAA, and their security record is inadequate.
Although there may be a tenuous argument that the Facebook pixel is HIPAA compliant, we’d much rather spare ourselves and our clients the risk that the United States Office of Civil Rights (OCR) disagrees. The OCR can levy monetary penalties well into the six and seven figures. Additionally, there is often little to no appeal or other due process offered to the accused.
Until Facebook takes the necessary steps to become HIPAA compliant, we not only advise all healthcare practices to disallow the use of the Facebook pixel, we also must respectfully decline to use the tracking pixel to manage clients’ ads, since we could be as liable to penalties as our clients.
Keeping Facebook ads HIPAA compliant
The good news is that we have managed Facebook ads long enough to feel confidence in our ability to maximize cost efficiencies without the pixel. In the end, we feel some loss of precision is a small price to pay for much greater comfort in knowing patient PHI is considerably safer without the pixel.