Giving a patient medications in the ER, having them pop positive on a test, and then withholding further medications because…
Curbside Consult with Dr. Jayne 6/20/22
I get my news from HIStalk just like everyone else, so I was very interested to read about US hospitals sending patient information to Facebook. Involved websites include a third of those listed as Newsweek’s “Top 100 US Hospitals.” Using the Meta Pixel tracker, Facebook is receiving the IP address of patients who scheduled appointments online, as well as the physician’s name and the search-term used to locate them. Investigative reporters also found that multiple high-profile hospitals have installed the tracker on their respective patient portals.
Of course, the major concern is that these organizations may have violated HIPAA by sharing patient health information with a third party without obtaining appropriate consent. During the investigation, one of the scenarios used was as follows. On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term used to find her: “pregnancy termination.”
The data being sent from within hospital patient portals is even more concerning. The Pixel Hunt project is a crowd-sourced effort to locate places where the Meta Pixel tracker is installed. Five real patient participants in the project had sensitive data sent, including names of medications, allergic reactions, and details about pending medical visits. The hospitals in question denied having contracts in place that would have permitted the release of this data, and investigators found no evidence that the hospitals were appropriately obtaining patient consent. Multiple organizations have since removed the tracker from their websites and patient portals, but the fact that it was there in the first place is highly concerning.
It’s unclear what Facebook has been doing with the data, and whether it’s using it for marketing or other for-profit purposes. As a patient, I find it horrifying that a health system would willingly put this kind of tracker on a patient-facing site and would want to understand why they would do that. The short answer is that those who do install it have access to analytics about ads they may have placed on Facebook and Instagram as well as access to additional marketing tools. In my opinion, neither of those reasons is enough to justify why my personal information should be sent outside of the healthcare organization. Even worse, the article notes that “if a patient is logged into Facebook when they visit a hospital’s website where a Meta Pixel is installed, some browsers will attach third-party cookies – another tracking mechanism – that allow Meta to link pixel data to specific Facebook accounts.”
As a physician who was previously employed by a health system, we know how much health systems profit from the labors of the clinicians that work under their banner. Data from 2016, which is the most recent year I could find, shows that primary care physicians generate $1.4 million in revenue each year. Some specialists, such as cardiologists and orthopedic surgeons, can generate $2.4 to $2.7 million annually. We’ve come to terms with our participation in that equation, but I doubt that physicians think favorably about health systems profiting from confidential patient information that we have worked hard to protect.
Putting on my clinical informaticist hat, the IP address is one of 18 HIPAA Identifiers that are considered personally identifiable information. I remember memorizing these for my last clinical informatics board exam because there were several questions on the topic on practice tests. When you take a piece of personally identifiable information and combine it with clinical data, it is considered Protected Health Information. When investigators were on the Scripps Memorial Hospital physician website, clicking the “Finish Booking” button sent Facebook the physician’s name and specialty as well as the patient’s full name, email address, telephone number, city, and ZIP code. The hospital removed the Meta Pixel from the final stages of the appointment scheduling flow after they were made aware of the investigators’ findings. The article contains a host of other examples of other private information elements that were shared, including patient comments about their medications and information on sexual orientation.
For every patient who has been told they can’t have a copy of their own records, or who has difficult sending records to a consulting physician due to an organization’s misapplication of HIPAA, this is particularly offensive. Glenn Cohen, faculty director of Harvard Law School’s Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics notes, “Almost any patient would be shocked to find out that Facebook is being provided an easy way to associate their prescriptions with their name… Even if perhaps there’s something in the legal architecture that permits this to be lawful, it’s totally outside the expectations of what patients think the health privacy laws are doing for them.” I’ve been privy to dozens of complex legal agreements over the years as well as numerous health systems’ Terms of Use documents for their websites and Conditions of Care documents that they make patients sign. I could see someone nesting language in those documents that might permit a number of things that if spelled out would make patients cringe.
Of course, that assumes that the health system knows what they’re doing and deliberately includes that provision. Maybe we need a law that requires language around data sharing to be in 14-point font at a sixth-grade reading level so that patients can understand, or that requires organizations to present this information in line-item veto format for patients to better identify their wishes. I don’t think the majority of patients would answer “Do you want us to share your medical information with Facebook?” in the affirmative, but then again, you never know. However, from the health system responses cited in the article, it seems that perhaps some of them didn’t fully understand the ramifications of installing the Meta Pixel tracker or what it was actually doing. Others indicated that they have confidence in Facebook’s ability to filter out patient information, and I think the majority of us would suggest that confidence is misplaced.
Since healthcare is going to an increasingly online, patient self-service model, this issue isn’t going to go away. However, I don’t see legislators or regulators dealing with it proactively since they can’t deal with other high-profile issues that dramatically impact our population. I’d love to see a flurry of complaints filed for HIPAA violations and watch Facebook burn money trying to defend itself. Needless to say, it will be a while before we see how this plays out.
If there’s anything that shows how slow the wheels of justice grind, it’s the marking of the Juneteenth holiday, which commemorates the day in 1865 when Major General Gordon Granger delivered the Emancipation Proclamation to enslaved people in Texas – more than two years after it was issued. This is the first year I’m working for an organization that observes the day and it’s a good opportunity to reflect on ways that we can do better as we work to care for all people.
What do you think about the Meta Pixel tracker and its use by healthcare organizations? Leave a comment or email me.
Email Dr. Jayne.
I admit I have never used the “most popular ever” healthcare portal. Luckily I am relatively healthy, maybe I’d feel differently if I had to manage a complex illness. I have come up through this field from the days of healthcare IT meaning “billing” and maybe some lab results. As soon as my clinical information became electronic, and knowing what I know from the inside (who sees the data, who manages the data, who “fixes” the data, who studies the data, who has access to the data…) I am wary. I’ve seen how “anonymized” patient data is consumed for profit by industry. How claims data is used for profit. So my mind sees all this data being flung around, and it only takes a greedy or incompetent company to misuse it. My refusal to use the HC portal (for me or kids) has been vindicated.