.png)
Hospitals around the United States are facing litigation (and the threat thereof) for use of data capturing code embedded on their websites and patient portals. Caught in a Bermuda Triangle of regulations requiring patient access to electronic healthcare records, increasing regulatory fines for privacy violations, and the lack of knowledge regarding the impact of certain digital products and services, it’s tough to be a healthcare provider right now.
On April 12, 2023, the Office of Civil Rights (OCR) for the US Department of Health and Human Services (DHHS) announced its intent to increase privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), specifically for reproductive health. The OCR announcement follows President Biden’s Executive Order 14076, issued in July 2022, which directed DHHS to identify ways to promote access to reproductive healthcare and ensure the security and privacy of patients seeking these services.
The OCR Notice of Proposed Rulemaking seeks to modify the HIPAA Privacy rules to prohibit the use and disclosure of protected health information (PHI) “for criminal, civil, or administrative investigations or proceedings against individuals, covered entities or their business associates (collectively, “regulated entities”), or other persons for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.” Additionally, OCR recommends that all regulated entities require a written statement attesting that the use or disclosure of PHI would not be used to support the newly prohibited uses.
In seeking to add new categories of prohibited uses and disclosures of PHI, the OCR Notice specifically notes patient privacy as “the core foundation of the relationship between individuals and their health care providers.” OCR further states its desire "to maintain the balance between the interest of a state or others to regulate health and safety and protect vulnerable individuals with the goal of maintaining the privacy protections established in the Privacy Rule.”
These enhanced privacy protections will increase pressure on healthcare providers and facilities to avoid any “mishaps” involving PHI disclosures. Currently, there are lawsuits pending in Louisiana state court, the Northern and Southern Districts of California, the Southern District of New York, and North Carolina state courts over PHI misuses directly related to the use of Meta Pixel.
Meta Pixel, part of the plethora of services and tools developed by Meta Platforms, Inc. (parent of Instagram and Facebook), is a data-tracking tool that collects user inputs to produce targeted advertisements. When used on healthcare websites, especially electronic data records portals, many plaintiffs contend that Meta Pixel collects and provides patient PHI to Meta Platforms in direct violation of HIPAA absent individual patient authorization.
Best explained (in English) by the Northern District of California in In Re Meta Pixel Healthcare Litig., Case No. 22-cv-03580-WHO (N.D. Ca, 2022), Meta Pixel is a free and publicly available piece of code that Meta allows third-party website developers to install on and customize for their websites. Website developers choose which types of user actions to measure, and program the Pixel accordingly. Often, developers use Meta Pixel to determine: (1) if and when website users take certain actions on a website, and (2) generalized information about website users, which can be used for targeting advertising.
If used for healthcare providers hosting websites, the Meta Pixel will see the user logging into patient portals, then directing the login information to both Meta and the healthcare provider. Meta will also transmit the contents of the page from which the patient clicked while inside the patient portal, as well as the patients’ identity in the form of IP addresses and user identification (from the login process). As of December 2022, the North District of California noted that more than 660 HIPAA regulated entities are using Meta Pixel.
Healthcare entities are implored, both now and especially following the anticipated changes to HIPAA’s Privacy Rule, to discontinue use of Meta Pixel or similar products that could likely capture patient information.