According to a recent study by The Markup, the websites of 33 of the 100 largest US hospitals provide medical data to Facebook. This could be a violation of the Health Insurance Portability and Accountability Act (or HIPAA).
Facebook collects health data using the Meta Pixel
According to the media, this tracer called Meta Pixel would allow sensitive information on the health of patients. Among the data sent to Facebook, we find in particular details on the state of health of the users, their prescription and details of their appointment with the doctors.
Fraud on LinkedIn: the FBI is sounding the alarm
These 33 hospitals send this data every time someone clicks a button to make a medical appointment. The data is linked to an IP address, which allows Facebook to identify the person and potentially send them targeted advertisements afterwards. On a hospital’s website, clicking on the appointment button would, for example, allow Facebook to receive the doctor’s name and the pathology, as “Alzheimer’s” Where “asthma”for which the appointment is scheduled.
The Markup also noticed that on 7 websites, the Meta Pixel was squarely installed on the patient portal. A private part of the website, which requires a connection with a password and which obviously includes the patient’s health record with particularly detailed data. In this specific case, the Meta Pixel is able to send very precise data to Facebook.
A violation of HIPAA?
In the United States, HIPAA (for Health Insurance Portability and Accountability Act) is supposed to regulate these practices and protect patients’ medical data. In fact, hospitals are not permitted to share identifiable health information with third parties without patient consent. They can use and share anonymous data (and often do). However, information linked to an IP address is considered as “identifiable information” and therefore logically benefit from additional protection.
According to Glenn Cohen, faculty director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School, “While there may be a trick in the legal architecture that allows this practice to be legal, it is totally against the principle of HIPAA”.
In fact, patients are convinced that they are protected by this law, although this is probably not the case. A Meta spokesperson told The Markup that Facebook has filters that detect and remove sensitive health data sent by companies. Hard to believe.
Another survey of The Markup revealed earlier this year that people seeking information about abortion or emergency contraceptives (information that Facebook is not supposed to receive) found themselves on the platform. As a result of this survey, 7 hospitals have decided to remove the Meta Pixel from their website.