Meta (the company formerly known as Facebook) is in the hot seat again, this time in conjunction with many hospitals and health systems across the country. A tracker called the Meta Pixel was discovered on many hospital websites, bringing into question once again how much you can trust third parties with your sensitive information. According to an article by The Markup, 33 of Newsweek’s top 100 hospitals in the country were sending sensitive data to Facebook via Meta Pixel as of June 15, 2022. The Meta Pixel tracker was found on multiple areas of hospital websites including appointment scheduling pages and password-protected patient portals. The information included medications, allergies, search terms for how doctors were found (e.g., “pregnancy termination”), and other data. Details of how The Markup obtained this information are provided here.
It is common knowledge to many individuals, particularly those who have watched The Social Dilemma, that Meta tracks personal information for its users. So why is the discovery of Meta Pixel such a big deal? In healthcare, a law called the Health Insurance Portability and Accountability Act (HIPAA) prohibits “covered entities” like hospitals from sharing “protected health information” (PHI) with third parties like Meta.
A covered entity is an individual, organization, or agency that transmits personally identifiable information. It includes health care providers, health plans, and health care clearinghouses. The hospitals that were found to have Meta Pixel installed on their websites are covered entities.
PHI (a.k.a. “Individually identifiable health information” or “personally identifiable health information” or other variations) is defined as information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
In other words, HIPAA law is written in a way that individuals and organizations who have access to patient information are expected to keep it private and only use it when necessary to deliver patient care, handle payment, or perform other permitted administrative functions. According to The Markup:
“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
Meta Pixel has been the subject of several class action lawsuits in several states. Results have been mixed, and you read more about them in the “Legal Implications” section of the article by The Markup. Meanwhile, as patients and as users of technology, we have to ask ourselves if we trust social media and if we trust our hospitals to safeguard our health information.
No comments:
Post a Comment