Plaintiffs in a consolidated class action lawsuit against Meta recently sought an injunction against Meta to stop the company from collecting and transmitting data collected from the websites of healthcare providers through Meta Pixel tracking code.
The plaintiffs claim the use of Meta Pixel code on appointment scheduling pages and patient portals allows sensitive information, including patient communications, to be collected and monetized by Meta, which violates federal and state privacy laws. William Orrick, U.S. District Judge for the Northern District of California, has recently issued a ruling denying the injunction.
Background
In the summer, an investigation was conducted by The Markup into the use of tracking technologies such as Meta Pixel on the websites of healthcare providers and found that 33% of the top 100 hospitals in the United States had the code on their websites, some of which had added the code to their patient portals. Meta Pixel can collect any data in HTTP headers, button click data, and form field names. That code was found to be transmitting patient information to Meta when Meta had not entered into a business associate agreement with the hospitals.
In the past few months, Novant Health, Community Health Network, Advocate Aurora Health, and WakeMed Health and Hospitals have all reported impermissible disclosures of patients’ PHI to OCR due to the use of Meta Pixel and other tracking code on their websites. Multiple lawsuits have also been filed against Meta and healthcare providers over the use of Meta Pixel code and the impermissible disclosure of the data of Facebook users, which the lawsuits claim is being used for advertising purposes without consent.
The Department of Health and Human Services’ Office for Civil Rights has recently confirmed that the use of tracking technologies on websites is not permissible under the HIPAA Privacy Rule if those technologies collect and transmit protected health information unless the vendor of the tracking technology qualifies as a business associate and a business associate agreement is in place or if HIPAA-compliant patient authorizations are obtained.
Ruling
Meta has argued that it has a policy in place that limits the data businesses can share through Meta Pixel, and mechanisms are in place that filter out sensitive data to ensure the information is not passed on to advertisers through its ads ranking and optimization systems. Meta also claims that any injunction that requires the company to stop collecting healthcare information would be unfairly burdensome and technologically infeasible.
“The allegations against Meta are troubling: plaintiffs raise potentially strong claims on the merits and their alleged injury would be irreparable if proven,” said Judge Orrick in his ruling. “To secure a mandatory injunction, however, plaintiffs need to show “that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed.”
Orrick explained that Meta has provided evidence that the company is doing all it can to minimize the problems raised by the plaintiffs, and that based on the available facts it is unclear where the truth lies. Orrick said there is a need for discovery to clarify the scope of the problems and the potential solutions that can be implemented to address them. Judge Orrick said, “it is too early to find that the public interest supports a mandatory injunction.”
The post Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code appeared first on HIPAA Journal.