Is Facebook a Business Associate?

Depending on where you put its tracking pixel, it might be.

Lawsuit: Facebook Is Collecting Patient Data of ‘Millions’

Class Action Alleges Meta Pixel Code Tracks Websites, Patient Portal Interactions

A class action is alleging Facebook unlawfully collects patient data from the online portals of hundreds of medical providers without knowledge or consent.

The lawsuit, filed Friday (June 17, 2022) by an anonymous “John Doe” plaintiff in the Northern District of California, alleges Facebook knowingly receives patient data when medical centers deploy a tracking tool called Meta Pixel that’s designed to improve marketing campaigns.

Lawsuit Allegations

The Meta Pixel is a piece of code embedded into webpages. The complaint alleges that anytime a patient undertakes an online action, such as scheduling an appointment, Pixel transmits patient data – including health condition information – to Facebook.

Pixel gathers data whether or not a person is logged in to their Facebook account.

“As soon as a patient takes any action on a webpage which includes the Facebook Pixel – such as clicking a button to register, login, or logout of a patient portal or to create an appointment – Facebook’s source code commands the patient’s computing device to re-direct the content of the patient’s communication to Facebook,” the complaint alleges.

The lawsuit alleges that the data collection is done without first obtaining patient authorization, as required by federal health privacy law.

“Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook,” the lawsuit alleges.

Risks to Data Posed by Healthcare Marketing

The last thing that any healthcare organization wants is a breach involving protected health information (PHI). Meta Pixel creates risk for patients, medical centers and Facebook itself.

By holding on to sensitive health data, Facebook could put that information at risk for compromise. For patients, having sensitive data transmitted to third parties increases the risk of identity fraud, while medical centers could see the data “repackaged” for healthcare criminal purposes.

Clients and providers should have to consent. If the provider is using Facebook and there is a contractual relationship involving the creation, receipt, maintenance, and/or transmission of PHI, then a business associate agreement is needed.

The lawsuit points to an endemic problem in the healthcare industry, says regulatory attorney Paul Hales. Namely, healthcare marketing and patient engagement strategies are fashioned by advertising and marketing consultants without oversight from HIPAA compliance professionals.

“Someone familiar with patient consent requirements would not have set up a system transmitting data to a social media company without carefully assessing it first,” he says.

If the lawsuit survives motions to dismiss, “discovery in this case could be eye-opening and also embarrassing for Meta’s medical provider partners,” Hales says.

If you have questions about IT security, and the evolving threat landscape call ITPAC today.