Photo by Amelia Holowaty Krales / The Verge
Many hospital websites have a tracking tool that sends sensitive medical information to Facebook when people schedule appointments, according to an investigation by The Markup. Experts say that the hospitals using the tool may be violating the medical privacy law the Health Insurance Portability and Accountability Act, or HIPAA.
The Markup found that 33 of the top 100 hospitals in the United States were using a tracker called the Meta Pixel on their websites. Installing the Meta Pixel gives groups access to analytics about Facebook and Instagram ads but also tracks how people are using their websites: the buttons they click, the information they put in forms, and so on.
On hospital websites, that could include sensitive health information connected to a patientās IP address. On one hospital website, clicking the scheduling button sent Facebook a doctorās name and the condition ā āAlzheimerāsā ā that the appointment was scheduled for.
In seven health systems, the Meta Pixel was installed in patient portals, which require a login and include detailed health records. The Markup found that Facebook was getting information on one patientās doctorās name and appointment time and on anotherās allergic reactions to specific medications.
Under HIPAA, hospitals arenāt allowed to share identifiable health information with third parties without patientsā consent. They can use and share anonymized data (and often do). But information linked to an IP address can classify data as identifiable health information, which has additional protections. āEven if perhaps thereās something in the legal architecture that permits this to be lawful, itās totally outside the expectations of what patients think the health privacy laws are doing for them,ā Glenn Cohen, faculty director of Harvard Law Schoolās Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics, told The Markup.
A Meta spokesperson told The Markup that Facebook has filters that detect and remove sensitive health data sent from businesses. Itās not clear if the data sent by hospital websites was or was not caught by those filters. But the filters donāt always work as described. Another investigation from The Markup found that details about people looking for information about abortion or emergency contraceptives (which is not supposed to be sent to Facebook) made its way through to the platform.
Seven hospitals removed the Meta Pixel from their websites in response to findings from The Markup, as did at least five of the hospitals with the tracker in their patient portal.