- June 28, 2022
- Posted by: Andrew Zellers
- Category: Legal & Compliance
On June 16, 2022, The Markup released a study about Facebook’s Meta Pixel tracking code receiving health information from hospitals. In this article, we will break down the key points of this study and discuss data collection.
Summary and Key Facts
Of Newsweek’s top 100 hospitals in the United States, 33 featured Facebook’s Meta Pixel, a tracking code that logs user behavior. In this case, the Pixel was tracking information about appointment creation.
Different websites collected different information. Some of the data points tracked by the Pixel include:
- Doctor’s name
- Search terms used to find the website
- Selected health conditions
- Patient names
- Allergic reaction responses
- Upcoming appointment details
Because Facebook hasn’t signed a Business Associate Agreement (BAA) for any of the hospitals using the Meta Pixel, HIPAA doesn’t consider them a business associate. This means that HIPAA regulations and penalties cannot apply to them.
HIPAA can, however, apply to the hospitals that included the Pixel. Since The Markup reached out to these covered entities, the reactions of the healthcare professionals have been split.
Some of these covered entities have removed the Pixel from their website to avoid possible HIPAA violations, but not all. When determining HIPAA penalties, however, the organization’s response to a violation impacts the severity.
Even though HIPAA doesn’t apply to this situation for Facebook, other regulations do. They’re currently facing a lawsuit alleging federal and state law violations for breaching their duty of good faith and fair dealing.
Facebook is reportedly working on a system that automatically filters out sensitive information like health details. Once this is functional, it will hopefully prevent similar situations in the future.
What is the Meta Pixel?
The Meta Pixel is Facebook’s most prolific tracking code, a powerful tool that helps companies make sure their ads reach the right people. In fact, more than 30% of heavily-trafficked websites feature this specific tracker.
Putting ads in front of people costs money, and there’s a lot of competition for the space. Personalized ads not only reduce costs and improve the success rate of marketing campaigns, but they make the browsing experience feel more familiar.
Displaying ads specifically to individuals who have shown interest in a product or service is known as remarketing or retargeting. You’ve likely noticed websites like Amazon showing you things you’ve already viewed.
That’s because trackers like the Meta Pixel don’t just watch what you do, they actively log your behavior to build a unique profile. This can be harmless when the information is properly limited in scope and use.
We know that the Meta Pixel stores more than just shopping trends. As stated by Facebook, “ The Pixel will log when someone takes an action on your website… From there, you’ll be able to see the actions that your customers take.”
Unfortunately, Facebook has a history of pushing the limits of ethical data mining. In 2018, Mark Zuckerberg appeared before Congress and faced extensive questioning regarding Facebook’s data practices and the extent to which the Pixel appears on the internet.
One of the major points of controversy Facebook continues to face is the collection of data without the user’s consent.
Data Collection and Consent
When looking at Facebook’s history with data mining, it’s important to note common complaints about their user agreement. Facebook updated its agreement following the 2018 hearings, but it spanned over 14,000 words at the time.
By signing up for the platform, users agree to see personalized ads informed by trackers like the Pixel. In exchange for free access to the platform, the company uses your data to make a profit.
This is not an unusual practice, many large tech companies share this ad-driven business model. Still, not everybody using the platform truly understands the extent of their data collection and use.
It’s not inherently dangerous or harmful for the average person to see ads that align with their interests.
It is, however, a breach of privacy to collect certain sensitive information. There’s a vast difference between knowing that someone is shopping for an air conditioner and knowing that they’re currently receiving cancer treatment.
This exact thing happened in 2016 when a patient sued Facebook for collecting such information.
The case was dismissed after Facebook cited their data agreement, which ”includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us.”
This does little for the majority of users who have never even read the data agreement, and that’s not a small population. A 2017 survey by Deloitte found that 91% of individuals polled generally don’t read terms and conditions.
Why Users Don’t Read Agreements
There are several reasons why people choose not to read the user agreements. It can be a challenging, unrewarding trudge thanks to the nature of legal writing.
Length and Legalese
One of the most challenging aspects of properly reviewing user agreements is the language used. These documents are generally written by lawyers to shield from any possible angle of legal action.
In order to accomplish this, they need to be written carefully and thoroughly. Ultimately, this makes such agreements difficult to truly understand for the average user who lacks legal experience.
With an average reading speed of 248 words per minute, a 14,000-word document would take about an hour to read with focus. With the added difficulty of these documents, true rates are likely lower.
Even if everyone could reasonably read and comprehend the entire document within an hour, there are invisible pressures that push users to skip the work.
Generally speaking, social media websites like Facebook offer entertainment on a nearly endless stream. Every user is encouraged to post, and there are currently almost 3 billion monthly active users worldwide.
This means there’s more content than any single person could ever consume. For example, there are over a billion stories, or temporary short videos, created across Facebook’s apps every single day.
This mostly guarantees that there are always new, relevant things for people to see in an instant.
Lack of Options
With the many incentives for signing up, it can be difficult to justify trudging through such a long agreement. It’s even harder when there isn’t another option.
It’s common practice for companies to only allow users who agree to the terms of service to access their platforms. This helps ensure that the platform won’t be misused, informs the user of their rights, and fulfills legal obligations to prevent easily avoidable lawsuits.
If someone absolutely wants to use a platform, they must accept the terms. Given this non-choice, the end result is pretty much the same for a user who read the agreement and one who didn’t.
Ignoring Informed Data Collection Consent
Ultimately, it’s the users’ choice whether to read the agreements or sign in good faith that the company won’t abuse the power. Regardless, the expectations should be outlined clearly and in accessible language.
With unclear language, an agreement may act as a legal shield in most scenarios, but it does little for the user. It isn’t unfair to expect such a widely used platform to ethically and responsibly manage data, but that’s not a guarantee.
While these types of users have provided uninformed consent to use their data, the tracking measures extend even beyond Facebook’s network.
The Meta Pixel doesn’t only track users who have agreed to the terms, but it also gathers information about people who don’t even have an account. This means that Facebook collects data about users without offering a chance to opt in.
What Does This Mean for Your Organization?
If you’re a healthcare provider, you’re likely aware that the Omnibus Rule required covered entities to rewrite and rerelease their Notice of Privacy Practices (NPP). This was to make sure patients’ rights were clear and written in accessible language.
That’s because informed consent is incredibly important in healthcare. Patients must authorize hospitals to disclose health information in all situations except for a few specific exceptions.
This means that inadvertently sharing certain information for marketing via the Meta Pixel could be a breach of the HIPAA Privacy Rule.
When it comes to HIPAA, it’s always better to be safe than sorry. As such, it may be a good idea to remove this tracker until the sensitive information filter is fully functional. At this time, it’s still unclear when this will happen.
How to Check if Your Website Has This Tracker
To help users determine if their tracker is functioning, Facebook released the Pixel Helper. This Google Chrome browser plugin can also be used to determine if your website features this tracker.
Remember that the Meta Pixel may not be present on every single page of your website, so be sure to check a few. It’s especially important to check pages with form fills that include health information.
If you find this tracker on a page that shouldn’t have it, it’s easy to remove. Select the option that best matches how you set up the Pixel.
Improve HIPAA Compliance Today
ChartRequest is a release of information and care coordination platform dedicated to the privacy of patients, security of PHI, and success of healthcare professionals.
With our powerful encryption and security measures, ChartRequest ensures compliance with HIPAA’s security requirements.
We have unique dashboards specialized for patients, legal and insurance professionals, and healthcare providers This helps us save all types of requestors the stress and hassle of submitting requests.
These centralized dashboards act as hubs to receive all incoming record requests. This helps healthcare professionals avoid the dangers of unintentional breaches caused by fax or other traditional methods.
By simplifying the release of information with ChartRequest, your team can save up to 2 hours per request. Reducing your team’s administrative burden will help reduce the burnout rate and improve staff retention.
To save administrative time and simplify HIPAA compliance throughout the release of medical, billing, and imaging records, create your account today.