The Need for Federal Regulation of Tracking Pixels to Protect Patient Data

Nina Ordinario
Associate Editor
Loyola University Chicago School of Law, JD 2024

In June 2022, a nonprofit news site called The Markup released a report stating that hospitals using Meta Pixel may be releasing patient data to Meta Platforms, Inc. (previously Facebook, Inc.). Since this report was released, many of the hospitals identified in the report removed pixel technology from their websites. In addition, some hospitals have released public breach notices and reported potential data privacy breaches to the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR). Most recently, on October 20, 2022, Advocate Aurora Health, a large health system located in the Midwest, released a notice publicly announcing its potential pixel breach, which may affect as many as three million patients.

What is a pixel, and how can it collect patient data?

The term “pixel” refers to a piece of code that is embedded in a website. Pixels, often referred to as “tracking pixels,” are intended to be used for marketing and advertising purposes. When a person uses a website, the pixel collects data on how the user interacts with the website, including the location of the user, what information the user browses, where the user clicks on the webpage, and the information the user types or selects on the webpage. Pixels are often supported by third parties, most notably Meta and Google. Once an entity employs a third party’s pixel on its website, the data from the website is directly transmitted to the third party’s servers.

Implementing third-party pixels does not cost anything, and in exchange, third parties provide entities with valuable user reports on how users interact with the entities’ websites. For this reason, many hospitals, as evidenced by The Markup report, have employed the use of pixel technology for their websites to collect information on how patients interact with their websites. Advocate Aurora Health, for example, used pixel technology on its online health record website and applications. Thus, when patients browse their online health records, pixel technology may have collected protected health information (PHI), personally identifiable information (PII), and other private data. In its notice, Advocate Aurora Health stated that the types of information that may have been leaked include the names of patients, patient medical record numbers, communications between patients and medical professionals, and the physical location of users.

The limited reach of HIPAA

The use of pixel technology on hospital websites has created patient privacy implications and Health Insurance Portability and Accountability Act (HIPAA) concerns. Privacy breaches of patient data are HIPAA violations, and hospitals are required to report suspected breaches to the OCR. The privacy rules of HIPAA only apply to “covered entities,” which include health plans, healthcare clearinghouses, and certain healthcare providers such as hospitals. However, HIPAA extends to a third party if the covered entity has established a business associate agreement with the third party. According to HHS, a “business associate” is “a person or entity that performs certain functions or activities that involve the use or disclosure of [PHI] on behalf of, or provides services to, a covered entity.” Thus, if a third party receives PHI, then the hospital should create a business associate agreement.

Meta does not have any business associate agreements with any covered entities or hospitals. In implementing Metal Pixel, hospitals received reassurances that Meta would not receive any patient data. The Meta Terms state that PII, such as names, email addresses, and phone numbers, is used for limited purposes, and information of this nature will be “hashed,” meaning removed, prior to transmission to the Meta servers. In addition, Meta states that it utilizes a filtering mechanism to detect PII and other sensitive health-related data and prevent such information from being transmitted to the Meta servers. Because hospitals expected that Meta would not receive any PHI, hospitals did not create business associate agreements with Meta, and therefore, HIPAA does not apply to Meta.

Holding third parties accountable

Currently, there are only two laws that consequently regulate tracking pixels and data collection: the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Under the GDPR, users can consent to their data being collected. In contrast, under the CCPA, users have the option to “opt out” of having their data collected. Although these laws give users more control over their privacy and personal information, the GDPR and CCPA are not federal laws. Consumers and patients are thus eagerly waiting for more robust privacy protection, whether through judicial interpretation of current laws or the creation of new federal laws.

On June 17, 2022, a class action was filed against Meta and other hospital defendants in the US District Court for the Northern District of California. In the claims against Meta, the plaintiffs allege that Meta violated their constitutional right to privacy and multiple California statutes. The plaintiffs have asked the court to award monetary damages and grant injunctive relief. Thus, if the plaintiffs prevail in the class action suit, Meta may have to stop its current pixel technology practices and implement better safeguards for consumer privacy.

In addition, Congress is evaluating many proposed bills that would consequently regulate pixel technology. For example, the proposed Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act would increase transparency around data collection by requiring companies, such as social media platforms, to tell consumers and financial regulators what data they are collecting from consumers and how the data is being used. Additionally, the proposed Deceptive Experiences to Online Users Reduction (DETOUR) Act would prohibit companies like Meta from using deceptive “dark patterns” to manipulate users into handing over their personal data. Another proposed bill is the Public Health Emergency Privacy Act which would improve patient privacy and security relating to public health technology. If enacted, these bills would expand both consumer and patient privacy and regulate pixel technology and data collection practices.

The class action lawsuit and the proposed bills could be the start of regulating pixel technology. Although it will take some time before new laws are enacted, the call for expanding consumer privacy rights is gaining momentum.