Earlier this year, the results of an investigative report on the use of Social Media Ad Tracking Software was released. The software, often called a pixel, is prevalent across many healthcare systems and is causing significant privacy concerns and in many cases litigation. This pixel – a scant few lines of computer code on a webpage – designed to allow entities that advertise on social media sites to track clicks to see if the targeted ads were reaching and resonating with the target audience.
These social media pixels send (or potentially are sending) significantly more information to their respective platforms than expected. While the use across the healthcare environment is varied, different reports have shown that perhaps 40% of the U.S. News top hospitals across the country were utilizing a pixel in some way on their hospital websites. In some cases, when patients clicked links to request an appointment with a provider, these pixels were sending the patient name, doctor name, doctor specialty, appointment date, appointment time, and facility name to the social media platforms. In other cases, a small number of hospitals managed to get one or more pixels installed directly on the web interface to their electronic health record, potentially exposing the entire electronic health record to social media platforms.
On the heels of this news, coupled with a similar concern earlier this year with a pixel found on the Free Application or Federal Student Aid (FAFSA) earlier in 2022, the U.S. Senate has started questioning how this data is being used by these companies. The Senate is asking for information on these companies’ privacy and security practices, and what safeguards are being implemented to control the collection and use of this data. Responsive information from one of these pixel owners indicates that there are filtering tools in place to ensure that any information received is not used for targeted advertising on their platforms, but there is not clarity as to what these companies are doing with the information received by the pixel, and whether this information is retained or purged.
On December 1, 2022, the Office for Civil Rights (“OCR”) released a bulletin stating that “Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patient’s health information when using tracking technologies.” The OCR went on to say that “…disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”
This is an emerging risk for healthcare providers and one that we expect to receive great scrutiny moving forward by patients and government entities. Numerous class action lawsuits have already been filed across the country and many healthcare systems have begun notifying patients and the OCR of the presence of pixels from numerous different social media platforms on the health system websites. Ankura will continue to monitor this story and provide updates as we gain more clarity into this privacy risk.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
