Meta Data
As of Tuesday a Federal judge in California is wrestling with a decision as to agree to a motion that would block Meta (FB) from collecting or disseminating information that the company collects from hospital, provider, or patient portal websites using pixel tracking. The motion was made as part of a number of consolidated individual and consolidated class action lawsuits against Meta concerning the collection and potential sharing of medical information that was allegedly collected without the permission of the user. Last year a study found that 33 of the top 100 hospitals used the MetaPixel application to collect information about ads that ran on their sites, but the application (allegedly) also collected information about clicks and form information.
While on-line privacy and security is a relatively new area for litigation, we know that such information can be collected and shared as long as the information is anonymous, but studies have found that when a patient communicates with a health care provider’s website where the application is present on the login page, the code redirects the exact content of the patient’s communication with the health care provider in such a way as to identify them as a patient. According to court documents, the data that the Facebook app records or sends is:
HIPAA does not consider personal names, addresses or phone numbers as protected as they are typically available from public sources, but if that information is listed along with health condition, health care payment data, especially if it contains specifics as to treatment location or treatment location type (XYZ Cancer Center, etc.), individual authorization must be given before that information can be used for marketing.
The Meta Pixel application places a small bit of JavaScript code on customer websites that works with Facebook cookies to match website visitors to their Facebook accounts (Meta’s own words), and given that the identifier is one pixel by one pixel, it is essentially invisible to the site visitor. When the user takes any action on the site, the Meta system tells the user’s computer to redirect that information to Meta as it happens, even before the provider gets the information, and while Meta has stated that it (plans top) remove ad targeting options that refer to ‘sensitive’ topics, but qualified it for only the Facebook platform, telling advertisers they could still use “website custom audiences and lokkalikes” to “healp reach people who have already engaged with a business or group’s website or products, which, according to the suit, means people who are already engaged, such as patients.
Yes, this is complicated stuff, especially given HIPAA’s ridiculously complex language, and the legal limitations on who can sue for privacy violations (the government can but you cannot unless its part of a class action suit), but on-line data collection is an area with few hard regulations and is technical enough that legislators tend to have the attitude that such regulations mean little unless there is some political capital or saber-rattling that can get some media time, deferring much of the research to ‘the kids’ on their staff. But it is a serious topic and the judge’s outrage over the sensitive data collection mentioned in these suits is interesting, if he finds that the suit has merit. Otherwise Meta will know every time you make an appointment with a doctor, visit an ER or urgent care, or get a vaccination, and that virtual folder of information that Facebook has on almost everybody will get larger every day.
While on-line privacy and security is a relatively new area for litigation, we know that such information can be collected and shared as long as the information is anonymous, but studies have found that when a patient communicates with a health care provider’s website where the application is present on the login page, the code redirects the exact content of the patient’s communication with the health care provider in such a way as to identify them as a patient. According to court documents, the data that the Facebook app records or sends is:
- What method the user used to communicate with the provider
- The fact that the patient logged in to the site and the page name of that login
- Whether the patient had previously been to the site for similar specific health information
- The patient’s IP address
- Cookie and browser information and identifiers
HIPAA does not consider personal names, addresses or phone numbers as protected as they are typically available from public sources, but if that information is listed along with health condition, health care payment data, especially if it contains specifics as to treatment location or treatment location type (XYZ Cancer Center, etc.), individual authorization must be given before that information can be used for marketing.
The Meta Pixel application places a small bit of JavaScript code on customer websites that works with Facebook cookies to match website visitors to their Facebook accounts (Meta’s own words), and given that the identifier is one pixel by one pixel, it is essentially invisible to the site visitor. When the user takes any action on the site, the Meta system tells the user’s computer to redirect that information to Meta as it happens, even before the provider gets the information, and while Meta has stated that it (plans top) remove ad targeting options that refer to ‘sensitive’ topics, but qualified it for only the Facebook platform, telling advertisers they could still use “website custom audiences and lokkalikes” to “healp reach people who have already engaged with a business or group’s website or products, which, according to the suit, means people who are already engaged, such as patients.
Yes, this is complicated stuff, especially given HIPAA’s ridiculously complex language, and the legal limitations on who can sue for privacy violations (the government can but you cannot unless its part of a class action suit), but on-line data collection is an area with few hard regulations and is technical enough that legislators tend to have the attitude that such regulations mean little unless there is some political capital or saber-rattling that can get some media time, deferring much of the research to ‘the kids’ on their staff. But it is a serious topic and the judge’s outrage over the sensitive data collection mentioned in these suits is interesting, if he finds that the suit has merit. Otherwise Meta will know every time you make an appointment with a doctor, visit an ER or urgent care, or get a vaccination, and that virtual folder of information that Facebook has on almost everybody will get larger every day.
RSS Feed