A piece of code on several hospital websites has unknowingly transferred sensitive health information to Facebook, potentially violating the federal Health Insurance Portability and Accountability Act (HIPAA), along with other laws and regulations.

Hospitals are prohibited from sharing personally identifiable health information with third parties, without advanced consent or certain contracts. Data nonprofit The Markup found that 33 of the top U.S. hospitals listed in Newsweek may have unintentionally done this via a tracking tool called Meta Pixel.

Designed by Facebook's parent company, Meta, the coding sends data to the social media platform when a person clicks a button to schedule a doctor's appointment. The information contains an IP address, which may be able to identify a specific person or household. Data shared included the doctor's name and the search terms and conditions entered for the appointment, reported The Markup. No evidence showed that the providers or Meta had advanced patient consent or contracts to share this information.

“I cannot say [sharing this data] is, for certain, a HIPAA violation. It is quite likely,” David Holtzman, a health privacy consultant, told The Markup.

Several hospitals have since removed the tool, including Novant Health, Duke Health and WakeMed. A federal class action lawsuit was filed on behalf of millions of patients on June 17 in San Francisco, accusing Meta of violating the Electronic Communications Privacy Act by “intentionally intercepting” user data, according to The Charlotte Observer.

Some health systems also installed it inside password-protected patient portals, leading to disclosures of medications, allergies and doctor appointment details. In some cases, the tool linked pixel data directly to specific Facebook accounts.

Meta Pixel logs page visits, payment adding information, registration form completion, and buttons users click. Because its investigation was limited to 100 providers, The Markup says the amount of data shared is likely greater and affects more patients and institutions. It could not determine if Facebook profited from the data or confirm if any of it was removed before being stored by Meta.

While the tool encrypts personal details before sending, it does not prevent Facebook from using the information. Meta spokesperson Dale Hogan said in some cases, businesses may “in error” send potentially sensitive data with Meta Business Tools, but that this information “will be removed before it can be stored in our ads systems.”

While Facebook does have a health data filtering system, it was not launched until years after companies began using Meta Pixel, according to The Markup.

Health IT Homepage