In July, the independent journalism site, The Markup, discovered one-third of the top 100 hospitals in the United States were using tracking code on their websites provided by Meta, and that code – Meta Pixel – was transmitting patient information to Meta/Facebook. Several hospitals had also added the code to their password-protected patient portals.
This code was added for legitimate reasons, such as tracking users as they navigated hospital websites. The data collected and provided to healthcare providers can help them improve their websites and services. For example, if a banner is not being clicked, it may need to be moved to a more prominent location or if certain web pages are not being visited, the navigation may need to be improved.
The problem is the tracking code may capture data that is classed as protected health information under HIPAA. For example, Meta Pixel code may capture data from the dropdown boxes selected on web forms. If those web forms are used for appointment booking, they may contain information about a medical condition. Since the code often captures identifying information, such as an IP address, that information is classed as PHI. Importantly, third-party tracking code usually transmits the captured data to the developer of that code.
Following media reports about potential HIPAA violations, hospitals that had added the code to their websites and web applications conducted investigations and determined PHI may have been transmitted to companies such as Meta and Google. Multiple hospitals and health systems have now notified the Department of Health and Human Services (HHS) about impermissible disclosures of patient information, including Novant Health, WakeMed Health and Hospitals, Community Health Network, and Advocate Aurora Health. Several lawsuits have also been filed against healthcare providers and Meta over these impermissible disclosures.
The HHS’ Office for Civil Rights has responded and issued guidance for HIPAA-regulated entities on the use of tracking code on websites and web applications and warns that the use of this code has the potential to violate HIPAA. This applies to the Meta Pixel code, but also other commonly used third-party code, such as Google Analytics code.
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the guidance.
If third-party tracking code is used on websites, web applications, mobile apps, or elsewhere, and that code captures and transmits protected health information to a third party for a covered function (e.g. healthcare operations), that third party is classed as a business associate, so a business associate agreement is required. If the third party is unwilling to sign a BAA, they are still classed as a business associate, and without a BAA in place, any disclosure of PHI would be impermissible under HIPAA. If a vendor of tracking code says they will strip out all PHI before they save any transmitted data, a BAA is still required.
HIPAA-regulated entities must pay particular attention to the nature of the disclosure. If the disclosure is not being made for a purpose expressly permitted by the HIPAA Privacy Rule – for healthcare, payment, or healthcare operations – then the vendor is not a business associate, so HIPAA-compliant patient authorizations are required. For example, disclosures for marketing purposes are only permitted with a HIPAA-compliant authorization. Adding the relevant wording to the Notice of Privacy Practices or website terms and conditions stating that data may be transferred to a third party when using the website does not qualify as a HIPAA-compliant authorization.
When tracking code is added to authentication webpages, it would usually have access to PHI so a BAA or a patient authorization is required; however, adding the code to unauthenticated web pages could also potentially violate HIPAA, as patients may be identifiable, and if they visit a web page about a specific health condition or make an appointment, that information would be transmitted to the vendor, and that information is classed as PHI.
OCR also confirmed that the Breach Notification Rule applies. If a HIPAA-regulated entity discovers the use of tracking technology has resulted in an impermissible disclosure, the Secretary of the HHS must be notified (via the OCR breach reporting tool) and patient notifications are required.