In June 2022, several media outlets broke a story about hospitals using a website technology that caused patient data to be sent to Facebook known as Meta Pixel. Specifically, the investigation found that 33% of the top 100 hospitals tracked user activity tied to scheduling appointments and, because the hospitals used Meta Pixel technology on their scheduling webpage, the appointment data was sent to Facebook. Another seven hospitals had Meta Pixel tracking technology on their patient portals, which provided access to more sensitive patient information.
The articles pointed out that none of these hospitals (who are covered entities[i] under the Health Insurance Portability and Accountability Act (HIPAA)) had agreements with Meta to share protected health information (PHI) as a business associate. And even if they did, HIPAA likely would not permit the uncovered data sharing even with a business associate agreement.
This issue is not limited to Meta Pixel. Other social media platforms have similar pixel technology that can be deployed on websites to track activity. The media articles on the use of such technologies triggered class action lawsuits, data breach reports from hospitals involving massive amounts of PHI and guidance from the Department of Health and Human Services’ Office for Civil Rights (OCR) that caused confusion about the use of the most basic website analytics tools.
This article explores the “Pixel Problem” and outlines important considerations when assessing the use of tracking technologies and HIPAA compliance.
How Pixel Technology Works in Plain English
Many organizations place ads on Facebook or other social media platforms, including hospitals and healthcare organizations. These social media platforms offer analytics information on the efficacy of the ads if the organization allows the tracking technology to be deployed on its website.
Once deployed, a pixel tracker uses a script or code to collect information. Users generally are unaware of the presence of a tracker. Depending on the pixel tracking technology used, it can collect varying types of information including a user’s search terms or entered text, items selected from a drop-down list, buttons clicked or the user’s IP address.
For example, when a user is scheduling an appointment, all the information the user enters to schedule that appointment could be picked up by a tracker. In most instances, a third party, like Meta or Google, operates the tracking technology and collects the data. The third party then uses that data to assess how well the ads performed. To do so, it may cross-reference the collected data with the third party’s own data on its users such as an email address or IP address. Because of the vast amounts of data available to these third parties that operate tracking technologies, they can sometimes use very limited pieces of information to identify an individual.
How Did This Happen?
The discovery of the “pixel problem” surprised many – including some of the hospitals involved. In many cases, a hospital marketing or information technology department likely deployed the pixel technology without truly understanding how it works or without involving the privacy officer or legal counsel.
Tracking technologies can be complicated. They require an understanding of the technical nature of the program and of the laws applicable to patient data. Therefore, the privacy officer without a true understanding of the technology or a marketing or IT person who does not understand HIPAA could easily have been unable to identify the issue.
The Pixel Problem Fallout
Class action lawyers saw an opportunity and sued a number of healthcare entities. Many covered entities ended up filing breach reports with OCR after investigating and fully understanding the implications. And then, on December 1, 2022, OCR issued guidance on the use of tracking technologies.
The December 1, 2022 guidance caused agita for many HIPAA regulated entities (covered entities and business associates) because it raised more questions than it answered. OCR made clear that its guidance is limited to situations where a regulated entity is using a third party developed tracking technology. But much of the rest of the guidance was less clear.
OCR explained that pixel-gathered information is PHI if it includes individually identifiable health information such as home or email address, dates of appointments, an individual’s IP address, or medical device ID. The data need not contain treatment or billing details because it is connect to the healthcare provider through the website. But most notably, OCR stated that no existing relationship with the healthcare provider is necessary to deem the information PHI.
In other words, OCR concluded that all website visitors are potential future patients and subject to HIPAA protections if the healthcare provider collects virtually any information from the user. In my opinion, there is no support for this interpretation in existing law. Unfortunately, agencies like OCR are granted deference when interpreting their own regulations and the process for challenging an agency’s interpretation is lengthy and expensive.
OCR’s Application of its Guidance
In its guidance, OCR walks through three different scenarios. The first scenario involves using tracking technologies on user-authenticated webpages. This is straight-forward and not controversial. A user-authenticated webpage is one that requires a user to log in. Generally, using tracking technologies on these pages equals access to PHI. This is the type of tracking uncovered in the media articles.
The second scenario raises some eyebrows. OCR explains that the use of tracking technologies on unauthenticated webpages (e.g., a basic home page that does not require credentials to access or use) generally does not involve the use or disclosure of PHI. That makes sense. But the wheels come off in one of OCR’s two exceptions.
The first exception applies if the page from which a patient can log in to a patient portal is an unauthenticated webpage. Obviously, using tracking technology that collects credentials that patients use to access a patient portal is problematic.
In the second exception, OCR explains that, even if unauthenticated, using tracking technologies on a webpage that addresses specific symptoms or health conditions or permits individuals to search for doctors may grant access to PHI. The user need not have any patient relationship with the covered entity.
For example, a specialty provider that focuses on specific diseases or conditions or that allows users to search for healthcare providers would not be able to use tracking technologies at all on that page. Not even Google Analytics. This exception overshadows the common-sense general rule that data collected on unauthenticated webpages generally does not constitute PHI.
Finally, in the third scenario, OCR advises that information collected by mobile apps could be PHI and would allow the mobile app and tracking tech vendors to have access to PHI. This is not controversial either.
Implications from the Guidance
OCR’s inclusion of potential future patients in the definition of PHI and its exception regarding unauthenticated webpages creates a challenging situation for all healthcare providers with a website. First, prior to this guidance, potential future patients were never subject to protection under HIPAA.
Under this guidance, the IP address of a user who interacts with a healthcare provider’s website containing disease-specific information is PHI. A mere visit to a website does not indicate a likely patient-provider relationship. Many individuals search for information about diseases or conditions on healthcare providers’ websites with no intention of becoming a patient of that provider.
In fact, this was one area of focus in the American Hospital Association’s (AHA) May 22, 2023 letter to OCR. It argued that OCR’s interpretation would “reduce access to credible health information” available on the web. The AHA pointed to research showing that 74% of patients use search engines to start their patient journey and that healthcare providers offer an important public service by making such information available. Without it, people will be subject to misinformation on healthcare from less reliable sources.
Second, since OCR’s tracking technology guidance applies to ALL tracking technology, covered entities will need business associate agreements with basic analytics tracking technology vendors such as Google Analytics. Many if not most sites use Google Analytics to analyze web traffic (e.g., general location of users, pages visited, time spent on the site, etc.). This is data that is critical to operations as websites are a primary method of outreach to the public.
Based on the guidance, the covered entity would need a business associate agreement with Google Analytics, which is a bit extreme. Not only is it unnecessary as none of the data is PHI, but Google is not going to sign business associate agreements for the use of its analytics tool.
So, What Now?
Regulated entities should assess their sites to determine the types of third-party tracking technologies used and how they work.[ii] Given that OCR is hyper-focused on this issue, it may be best to disable any social media tracking technologies regardless of the types of information they collect. Assess the level of business need and get rid of third-party tracking technologies that do not serve an important function.
Next, be sure that the patient portal or its log-in pages contain no third-party tracking technologies. Similarly, ensure that appointment scheduling pages or any pages on which the user provides identifying information do not use tracking technologies.
For those pages where third party tracking technologies remain, assess the following:
- What data is shared with the tracking technology vendor and is sharing such data necessary?
- Is such sharing permitted under HIPAA for treatment, payment or healthcare operations? Sharing for marketing purposes or the third party’s own use are not permitted and require a patient’s written authorization.
- If HIPAA permits the disclosure to a third-party vendor as a business associate for treatment, healthcare operations or payment, is there a business associate agreement in place with the vendor?
Where third-party tracking technologies remain in use, ensure that the privacy notice on the website discloses the use of such trackers. Further, regulated entities must include the use of tracking technologies in its risk analysis, which the HIPAA Security Rule requires.
OCR has not been shy about its commitment to ensuring compliance with its tracking technology guidance. While we have not yet seen any enforcement on the subject, I assure you that it is coming. Further, I expect that any OCR electronic PHI breach investigation will involve questions about the use of tracking technologies.
Don’t wait for OCR to ask questions about your organization’s use of tracking technologies. Lack of knowledge or understanding will not be a defense.
[i] Under HIPAA, a covered entity is a healthcare provider, health plan or healthcare clearinghouse that electronically transmits protected health information.
[ii] The Markup, one of the media outlets that broke the pixel story, offers a free tool to assess the use of trackers on a website. It is a good starting point.