HIPAA

 View Only
  • 1.  Meta "Facebook" Pixel Tracker

    Posted 07-22-2022 09:52 AM
    In June, Beckers reported that many hospitals might be violating HIPAA by installing tracking on their websites.  I've done some research and discussed it with our IS and Marketing Team, and it seems the only information that is collected is an IP address.  This is basically an ad tracker that monitors what ads are being clicked on by users and is used to know what search terms are generating traffic to our website.  It appears that this tracker isn't applied to any of our systems that collect patient payments or manage PHI.  I think the article was bold in saying that hospitals might be violating HIPAA by using these.  I guess my question would be, is anyone familiar with this, and how have you assessed risk in your facility?


    Link to article:  https://www.beckershospitalreview.com/healthcare-information-technology/some-hospital-websites-are-sending-sensitive-patient-data-to-facebook-report-says.html?origin=CIOE&utm_source=CIOE&utm_medium=email&utm_content=newsletter&oly_enc_id=0551J0961923D4E

    ------------------------------
    Wendy Smith, MBA, CHC, CHPC, CPC, CPMA, CEMC
    AVP, Chief Compliance and Privacy Officer
    AnMed Health
    wendy.smith@anmedhealth.org
    ------------------------------
    Default Blank


  • 2.  RE: Meta "Facebook" Pixel Tracker

    Posted 07-22-2022 10:04 AM
    Yes...I heard about this from a HIPAA group I belong to and the way we read this was that it looks like this:

    Patient visits website Patient enters info (appt related) Website of CE captures this info (PHI) info sent to Facebook

    As mentioned in the article, though from what I learned that this happens as a pass through in that the PHI is getting routed as it is collected...I do agree that the lack of consent is something to consider.  Looking at this dataflow, I can't see how it falls into any of the examples of when PHI can be shared without the opportunity to agree or object...so this whole set up seems to be questionable in my opinion.

    Thanks for posting!

    Frank

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    ------------------------------

    Default Blank


  • 3.  RE: Meta "Facebook" Pixel Tracker

    Posted 07-22-2022 02:59 PM
    Sent from my iPhone


    ****************************************************************
    This communication, including attachments, may contain information that is confidential. It constitutes non-public information intended to be conveyed only to the designated recipient(s). If the reader or recipient of this communication is not the intended recipient, employee, or agent of the intended recipient who is responsible for delivering it to the intended recipient, or you believe that you have received this communication in error, please notify the sender immediately by return e-mail or telephone and promptly delete this e-mail, including attachments without reading them or saving them in any manner. The unauthorized use, dissemination, distribution, or reproduction of this e-mail, including attachments, is prohibited and may be unlawful.


    Default Blank


  • 4.  RE: Meta "Facebook" Pixel Tracker

    Posted 07-25-2022 09:43 AM
    I believe there are two levels to this.

    One - when the pixel is found on hospital websites. I think the risk depends on what/how many data elements are being sent to FB. IP address by itself is less of a risk than IP address+date of appointment+doctor's name+condition. Mine may be a conservative approach but I don't believe FB has any business collecting any PHI without authorization. I also wouldn't trust their sensitive data filtering system unless there is publicly disclosed policy outlining the algorithm. If the hospital is aware of the pixel and chooses to continue having it, I would assess risk based on data elements collected, any agreement that the hospital may have with FB (if any), and the benefits of this data transfer vs. the risk of violating HIPAA. We have asked all our organizations to look for the pixel and remove it.

    Two - the presence of the pixel in the patient portal. This is more concerning to me as this is where it is safe to say the hospitals are violating HIPAA and we are possibly looking at a breach. I cannot think of any reason why this is necessary and neither can our CIO.

    Here is the link to the original Markup article and attached is a July Compliance Today article discussing the same. https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites

    ------------------------------
    Shubha Lakshmanan
    Senior Director of Compliance and Privacy
    Waud Capital Partners
    ------------------------------

    Default Blank