Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Office of Civil Rights Issues Guidance on HIPAA Compliant Use of Meta Pixels

ABA: “A Meta Pixel is a code embedded in websites that tracks users’ online activities and sends such activities as discrete packets of user data to Meta, the parent company of Facebook. The Meta Pixel can track “users as they navigate through a website, logging which pages they visit, which buttons they click, and certain information they enter into forms.” In return for embedding the Pixel in a website, a website owner is provided with analytics about advertisement and tools to better target website visitors. Meta can couple the data provided via the Pixel with its own database of Facebook users to re-identify users, provide targeted ads based on health conditions, or to sell the data on to third-party advertisers. Meta Pixels, and cookies in general, are broadly used by many companies on a variety of websites. The Markup Investigation Spotlights Meta Pixels Embedded in U.S. Hospital Websites – In June 2022, the use of Meta Pixels specifically in U.S. hospital websites came to the public’s attention because of the Markup’s investigative article. The Markup, a technology-focused investigative news organization, collaborated with Mozilla, a non-profit web browser organization, to launch a study of the prevalence of Meta Pixel embedded in websites and the extent to which users are quietly tracked across the internet from January to July 2022. The study, titled “Pixel Hunt,” was motivated by the organizations’ desire to fully understand the scope of the Pixel’s use and how and where the Meta Pixel is tracking web users. In addition, the Markup tested the websites of the Newsweek’s top 100 hospitals in America and discovered 33 of the hospital websites contained Meta Pixel. The Markup’s investigation revealed patients’ IP address, doctor’s name, and associated medical conditions were disclosed to Meta via data packets when patients made a doctor’s appointment. Meta Pixel was also found embedded in user-authentication webpages, which are areas of websites that can only be accessed after logging in. The Markup set up a test account on a hospital’s patient portal and found information, such as sexual orientation and medication usage, were disclosed to Meta via the Pixel. Since the Markup’s investigation, 28 of the 33 hospital websites removed the Meta Pixel from their websites. Additionally, several hospitals that used Meta Pixel reported data breaches, citing the use of the Pixel for the data breach, to the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA)…”

Sorry, comments are closed for this post.