One-third of Healthcare Websites Still Use Meta Pixel Tracking Code
A recent analysis of healthcare websites by Lokker found widespread use of Meta Pixel tracking code. 33% of the analyzed healthcare websites still use Meta pixel tracking code, despite the risk of lawsuits, data breaches, and fines for non-compliance with the HIPAA Rules.
Website Tracking Technologies in Healthcare
A study conducted in 2021 that looked at the websites of 3,747 U.S. hospitals found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties, and an analysis in 2022 of the websites of the top 100 hospitals in the United States by The Markup/STAT revealed one-third of those hospitals used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.
In December 2022, the HHS’ Office for Civil Rights issued guidance to HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that these technologies violate HIPAA unless there is a business associate agreement (BAA) in place with the provider of the code or authorizations are obtained from patients. OCR and the Federal Trade Commission wrote to almost 130 healthcare organizations in July 2023 warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. In March 2024, OCR updated its guidance – believed to be in response to a legal challenge by the American Hospital Association – however, OCR’s view that a BAA or authorizations are required has not changed.
Several hospitals and health systems have reported the use of these tracking technologies to OCR as data breaches, and many lawsuits have been filed against hospitals over the use of these tools, some of which have resulted in large settlements. For example, Novant Health agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties due to the use of these tracking tools. The FTC is also actively enforcing the FTC Act with respect to trackers, with BetterHelp having to pay $7.8 million to consumers as refunds for disclosing sensitive health data without consent. States have also taken action over the use of Meta pixel and other website trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Lokker’s 2024 Study of Website Tracking Technologies
Lokker, a provider of online data privacy and compliance solutions, conducted a study of 3,419 websites across four industries (healthcare, technology, financial services, and retail), that explored three critical areas of risk.
- Unauthorized consumer data collection through third-party trackers, tags, and pixels.
- How privacy tools are often failing to meet the requirements of emerging laws.
- The escalating complexities of protecting consumers’ data privacy.
The study looked at the threat of data brokers sharing consumer data with foreign adversaries. Across all industries, 12% of websites had the TikTok pixel, including 4% of healthcare companies. While the privacy risks associated with this pixel are lower than other tracking technologies, the information collected by TikTok pixel may be transferred to China. 2% of websites, including 0.55% of healthcare websites, were found to use pixels and other web trackers that originated in China, Russia, or Iran. Data transfers to foreign nations are a major concern for the U.S. government. In February this year, President Biden signed an Executive Order to prevent the sharing of Americans’ data with foreign countries.
Alarmingly, given the considerable media coverage, HIPAA guidance, regulatory fines, and lawsuits associated with website tracking technologies, 33% of healthcare organizations were still using Meta pixel on their websites. Lokker found an average of 16 trackers and a maximum of 93 trackers on healthcare websites. The most common trackers used by healthcare organizations were from Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com), Meta (facebook.com, facebook.net), ICDN (icdn.com), and Microsoft (linkedin.com). There appears to be confusion about obtaining consent from website visitors about the collection of their data through tracking technologies such as pixels and cookies. According to OCR guidance, the use of a banner on a website advising visitors about the use of tracking technologies does not constitute a valid HIPAA authorization. These consent banners were identified on the websites of 59% of healthcare organizations.
These consent banners often do not function as intended, as 98.5% of websites load cookies on page load, with Lokker reporting that, on average, 33 cookies are loaded before consent banners appear, and these banners often misclassify or overlook cookies and trackers. Lokker also found that technologies such as browser fingerprinting are often excluded from consent tools, and the rapidly evolving web means tracker changes may go unnoticed by consent tools, resulting in users unwittingly consenting to undesired data collection.
In addition to compliance risks related to HIPAA, there is also a risk of Video Privacy Protection Act (VPPA) violations. 3% of healthcare companies had Meta pixel or other social media trackers on pages containing video players, putting them at risk of VPPA lawsuits. In 2023, more than 80 lawsuits were filed alleging VPPA violations due Meta pixel being used to gather and disseminate video viewing data from websites without user consent, some of which have led to multi-million-dollar settlements.
“LOKKER’s research sheds light on critical issues that businesses often underestimate. Unauthorized data collection through third-party trackers and related technologies is far more pervasive than most people realize. We all build websites with third-party tools, and they use other third-party tools, and so on. Many of these are essential and necessary. However, this web of interconnected technologies produces dozens to hundreds of URLs collecting data on a single webpage and is the engine that powers the data broker market,” said Ian Cohen, founder and CEO of LOKKER. “Moreover, data collection on websites and ad tech happens in real time; existing privacy tools are not real-time, and therefore not getting the job done. As a result, we’re seeing a dramatic increase in privacy violations, lawsuits, and fines.” The findings are published in Lokker’s Online Data Privacy Report March 2024.
