A recent report by Ropes & Gray Health Care and Privacy & Cybersecurity practice highlighted the legal issues raised by online tracking technologies on appointment scheduling pages.
Beginning with a class action brought against Mass General Brigham and Dana-Farber in 2019, patients alleged that hospitals’ used third-party tracking technology without consent on appointment scheduling pages. Following the Mass General and Dana Farber settlement in early 2022 for $18.4 million, The Markup published an article stating that of the top 100 Newsweek-ranked U.S. hospitals, 33 had installed the Meta Pixel on appointment scheduling pages, and six had installed the Meta Pixel on patient portals, potentially violating patient privacy. The article reported in detail how the Facebook “Meta Pixel” used in conjunction with Appointment Scheduling collected sensitive health data including patient name, appointment type, date/time, doctor’s name and more.
Since the Markup article was published, class action lawsuits have been filed against hospitals and health systems including Dignity Health/UC San Francisco, MedStar, Northwestern Memorial Hospital, Rush System for Health, UPMC, and Advocate Aurora Health. Both Google and Meta, were named as co-defendants or entities involved in unlawful tracking, with the majority of the online tracking done using Meta, parent company of Facebook. The lawsuits claim that online tracking was installed on hospital scheduling pages and patient portals, resulting in the transmission of sensitive patient information to third-party vendors without patient consent.
In the six months following the release of the Markup article, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) did not issue guidance as to the implications of tracking technology for entities subject to HIPAA. On December 1, 2022, OCR broke its silence and issued a bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” which sets forth broad-reaching guidance for HIPAA covered entities and their business associates.
The TASBIA™ Bottom Line
In the aftermath of the sloppy use of tracking technology, governmental agencies have taken notice and begun to issue guidance.
OCR has identified three ways in which online tracking technologies may be used by regulated entities: (1) user-authenticated webpages that require a user login (for example, a patient portal); (2) unauthenticated webpages that do not require a user login (for example, a health system home page); and (3) mobile applications (“apps”).
To learn more about the legal issues raised, and the OCR response to breaches involving protected health information (“PHI”) stemming from use of online tracking technologies, see the article Use of Tracking Technology- Walking the Regulatory Line? by Ropes & Gray.
For additional information on the original breach, see:
- Facebook Is Receiving Sensitive Medical Information from Hospital Websites (The Markup, Jun 16, 2022)
- Hospital websites are sending medical information to Facebook (The Verge, Jun 16, 2022)
- How We Built a Meta Pixel Inspector (The Markup, Apr 28, 2022)