In a previous “Hospital Websites and Meta Pixel” post, I discussed how the Meta Pixel tracker was found on many hospital websites, including appointment scheduling pages and password-protected patient portals. This could result in Meta (the parent company of Facebook) obtaining protected health information (PHI) which would violate the law, namely the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
A few days ago, the Office for Civil Rights (OCR, a federal agency under the U.S. Department of Health and Human Services) and the Federal Trade Commission (FTC) issued a press release to warn hospital systems that “the use of online tracking technologies that may be integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties.”
It also links to a joint letter that was sent to approximately 130 hospital systems and telehealth providers whose intent was to emphasize potential risks around the use of online tracking technologies. The letter specifically names Meta/Facebook Pixel and Google Analytics as examples of online trackers that can “gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users.”
Although no enforcement activity was mentioned, it concluded by recommending the following: “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”
In December 2022, the OCR had issued guidance for the use of online tracking technologies and specifically mentioned that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
It is clear that healthcare provider organizations have been put on notice about patient privacy and security requirements under HIPAA law. It will be interesting to see if there are any officially documented violations that result in enforcement action.