Whenever a person schedules a doctor’s appointment, the tracker called the Meta Pixel sends Facebook data — which includes details of medical conditions, prescriptions, and doctor’s appointments, The Markup reported.
Meta Pixel was also installed inside the password-protected patient portals of seven health systems.
Collectively, 33 hospitals reported more than 26 million patient admissions and outpatient visits in 2020, said the report citing the latest data from the American Hospital Association.
Even as it is prohibited under law for hospitals to share personally identifiable health information with third parties like Facebook, without an individual’s consent or any contract, health data security experts said that the hospitals may have violated the federal Health Insurance Portability and Accountability Act (HIPAA).
“I am deeply troubled by what (the hospitals) are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the US Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, was quoted as saying.
“I cannot say (sharing this data) is for certain a HIPAA violation. It is quite likely a HIPAA violation,” he added.
While Facebook itself is not subject to HIPAA, the experts said it is concerning how the tech giant might use the personal health data for profit.
“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space. I think this is creepy, problematic, and potentially illegal on the hospitals’ part,” Nicholson Price, law professor at the University of Michigan, was quoted as saying.
After reviewing the findings, several hospitals removed pixels from their appointment booking pages and from patient portals, the report said.
“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems,” said Meta spokesperson Dale Hogan in an emailed statement.