Meta, HIPAA, and New Accusations of Privacy Violations
On Aug. 10, 2022, it was announced that Meta Platforms Inc., formerly known as Facebook, was facing accusations of invading the personal privacy of American citizens with respect to healthcare data. More specifically, a complaint was filed in California federal court by someone simply referred to as “John Doe” that alleges as many as 664 hospital systems and healthcare facilities within the state had sent the medical data of their respective patients to Meta Platforms Inc. via the corporation’s Pixel tracking too. As described on the company’s website, “The Meta Pixel is a piece of code on your website that can help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart.”
While targeted advertising is by no means an illegal practice, and constitutes the way in which many companies and businesses worldwide generate much of their revenue in any given fiscal year, the manner in which these organizations obtain the personal data they use to drive targeted traffic and advertising campaigns within the U.S. has come under an additional layer of scrutiny in the wake of the overturning of the landmark court case Roe v. Wade in June of 2022. As many states around the country have already begun the process of amending legislation regarding abortion and reproductive healthcare legislation, many privacy advocates have warned that the data collection practices of major technology companies such as Meta stand to put the lives of American citizens at risk.
The Meta Pixel tool
What’s more, the accusations that were made by “John Doe” in the state of California are by no means the first of such claims to be levied against the company Meta, as another complaint filed by a “Jane Doe” in the state of California also alleges that the Pixel tool gives the company “the ability to surreptitiously gather every user interaction with the website ranging from what a user clicks on to the personal information entered on a website”, without first obtaining consent from said customers prior to collecting their personal data. Even discounting the impact of the recent overturning of Roe v. Wade, the accusations that have been made against Meta in the two complaints on behalf of citizens residing in the state of California would constitute a violation of the Health Insurance Portability and Accountability Act (HIPAA).
Under the numerous provisions of HIPAA, medical providers that operate within the U.S. are responsible for safeguarding the Protected Healthcare Information (PHI) of their many patients, as healthcare facilities around the country are often prime targets for data breaches. Moreover, businesses such as Meta that collect personal information from consumers within the U.S. also have a legal obligation to abide by the provisions of federal privacy laws such as HIPAA, among others, with regard to targeted advertising campaigns and other relevant pursuits. Nevertheless, there is a gap between the requirements that medical organizations must adhere to under HIPPA and technological advancements that have been made around the world in recent years.
For reference, HIPPA was originally passed in 1996, and the ways in which businesses can collect personal information and data from consumers have been completely revolutionized since that time. For example, smartphones and mobile devices that contain geolocation services did not exist in 1996, and the provisions of HIPPA were written largely in the context of medical providers protecting the privacy and data of medical patients, with third-party businesses receiving little consideration. For these reasons, the U.S. federal government enacted The Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, with the goal of both promoting the use of and protecting Electronic Healthcare Data (EHR), as well as the responsibilities of third parties as it pertains to protecting the privacy of healthcare patients in the U.S.
On the other hand, Meta Platforms Inc maintains that the company’s Pixel tool is not designed to send sensitive information such as medical data to the company, and goes further by stating the tool has a feature that automatically filters out such data if this sensitive information is disclosed by mistake. Despite this stance, however, dozens of other similar cases have been brought against the company in recent months alone. While the particulars of these cases will vary on a case-by-case basis, the commonality between all of them is that the Meta Pixel tool is effectively collecting personal information in a fashion that is both predatory and misleading to American consumers and businesses that utilize the tool.
Alternatively, the cases that have been levied against Meta Platforms Inc. with respect to the protection of healthcare data under HIPAA also highlight general misunderstandings concerning the scope and applicability of the law. To this point, while certain provisions of the HITECH apply to third-party organizations that may interact with healthcare professionals in some form or fashion, the law still largely pertains to healthcare professionals protecting the sensitive information of their patients. For example, if a patient has certain forms of healthcare information concerning them on their Facebook page, this information is not protected by the provisions of HIPAA. This being the case, there may have been instances where the Pixel tool was in fact collecting personal data that had already been made publicly available.
Due to the fact that the U.S. federal government has yet to pass a comprehensive federal data protection and personal privacy law such as the EU’s General Data Protection Regulation (GDPR), accusations of privacy violations such as those that have been made against Meta Platforms Inc will only continue to occur. To this end, federal lawmakers and state legislatures alike will have to consider the steps they are collectively taking to ensure that the personal information of the American people is being protected at every level, as technology companies have shown they will find ways to deliver targeted advertising to consumers by any means necessary.