Jefferson Health Sued for Meta Pixel Privacy Violations
Jefferson Health, a health system serving patients in the Greater Philadelphia area and South New Jersey, is facing a class action lawsuit over its use of the Meta Pixel tracking tool on its website and is alleged to have sent sensitive patient data to Meta Platforms without website users’ knowledge or consent.
Meta Pixel is a code snippet added to websites to track user interactions for marketing and advertising purposes. The tool allows advertisers to track user actions on a website after clicking an ad on Facebook or Instagram, helps them optimize their ad campaigns, and is used by website owners to improve their websites and make remarketing to individuals easier. The problem with using tracking tools such as Meta Pixel on hospital websites is the tools can collect and transmit sensitive patient data, depending on a patient’s interactions with the website.
The HHS’ Office for Civil Rights issued guidance on the use of these tools on healthcare websites which states that they violate HIPAA unless consent is obtained from patients to disclose their information or if the provider enters into a business associate agreement with the provider of the tool and the disclosure is permitted under the HIPAA Privacy Rule. The guidance essentially banned the use of these tools on healthcare providers’ websites. The legality of the guidance was challenged in court and was partially vacated, meaning healthcare providers can use the tools on unauthenticated web pages but not on authenticated web pages such as patient portals.
According to the lawsuit – Nancy Murphy and Robert Stewart v. Thomas Jefferson University Hospitals Inc. d/b/a Jefferson Health, filed in the U.S. District Court for the Eastern District of Pennsylvania, the Meta Pixel tool tracked when patients logged into the Jefferson Health patient portal, scheduled appointments, made selections using drop-down menus on web forms, and logged information entered into web forms and transferred that information to Meta. Other information transferred by the tool included the web pages visited, which may be related to certain providers, specialists, and medical conditions.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The plaintiffs allege that these tools were added to Jefferson Health’s website without their knowledge and their sensitive data was shared with Meta without their consent and was used to serve targeted ads related to medical information disclosed on the website. The husband-and-wife plaintiffs used the patient portal to discuss ways that Robert’s diabetes could be managed, and after using the site they claim they were flooded with adverts for Ozempic and other medications. The plaintiffs allege that Jefferson Health violated federal and state laws by disclosing sensitive health information without patients’ consent. Jefferson Health maintains there was no wrongdoing, and Meta Pixel was not added to its patient portal, only to its public-facing website to measure browsing traffic, optimize the website, and improve awareness of the services offered by Jefferson Health.
