Many hospital websites have a tracking tool that sends sensitive medical information to Facebook when people schedule appointments, according to an investigation by The Markup. Experts say that the hospitals using the tool may be violating the medical privacy law the Health Insurance Portability and Accountability Act, or HIPAA.
The Markup found that 33 of the top 100 hospitals in the United States were using a tracker called the Meta Pixel on their websites. Installing the Meta Pixel gives groups access to analytics about Facebook and Instagram ads but also tracks how people are using their websites: the buttons they click, the information they put in forms, and so on.
On hospital websites, that could include sensitive health information connected to a patient’s IP address. On one hospital website, clicking the scheduling button sent Facebook a doctor’s name and the condition — “Alzheimer’s” — that the appointment was scheduled for.
In seven health systems, the Meta Pixel was installed in patient portals, which require a login and include detailed health records. The Markup found that Facebook was getting information on one patient’s doctor’s name and appointment time and on another’s allergic reactions to specific medications.
Under HIPAA, hospitals aren’t allowed to share identifiable health information with third parties without patients’ consent. They can use and share anonymized data (and often do). But information linked to an IP address can classify data as identifiable health information, which has additional protections. “Even if perhaps there’s something in the legal architecture that permits this to be lawful, it’s totally outside the expectations of what patients think the health privacy laws are doing for them,” Glenn Cohen, faculty director of Harvard Law School’s Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics, told The Markup.
A Meta spokesperson told The Markup that Facebook has filters that detect and remove sensitive health data sent from businesses. It’s not clear if the data sent by hospital websites was or was not caught by those filters. But the filters don’t always work as described. Another investigation from The Markup found that details about people looking for information about abortion or emergency contraceptives (which is not supposed to be sent to Facebook) made its way through to the platform.
Seven hospitals removed the Meta Pixel from their websites in response to findings from The Markup, as did at least five of the hospitals with the tracker in their patient portal.