Latest HIPAA News

Webinar: Aug 17, 2022: Do I Need to be HIPAA Compliant?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards to protect sensitive patient health information and to prevent that information from being disclosed without an individual’s knowledge or consent. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, which are classed as HIPAA-covered entities.

There is a misconception that only HIPAA-covered entities need to ensure they are compliant with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules; however, HIPAA also applies to business associates of HIPAA-covered entities. A business associate is any third party that provides products or services to HIPAA-covered entities that involves contact with protected health information (PHI) in any form.

Achieving and maintaining HIPAA compliance is vital for all HIPAA-covered entities and business associates. The HHS’ Office for Civil Rights and state Attorneys General have the authority to impose financial penalties and other sanctions if non-compliance with the HIPAA Rules is discovered, and many organizations have discovered to their cost that compliance with the HIPAA Rules is not optional.

If you work in healthcare in any capacity, it is almost certain that you need to be HIPAA compliant. If you are in any doubt, Compliancy Group is hosting a webinar on August 17, 2022, to answer the question, do I need to be HIPAA compliant?

Do I Need to be HIPAA Compliant?

August 17th @ 2:00 pm ET ¦ 11:00 am PT

Host: Compliancy Group

[contact-form-7]

The post Webinar: Aug 17, 2022: Do I Need to be HIPAA Compliant? appeared first on HIPAA Journal.

American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards

Earlier this month, a draft bipartisan bicameral bill was introduced that seeks federal data privacy and protection regulations, which would replace the current patchwork of data privacy laws in different U.S. states.

The American Data Privacy and Protection Act (ADPPA) was introduced by Energy and Commerce Committee Chair Frank Pallone, (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Ranking Member of the Senate Committee on Commerce, Science, and Transportation, Senator Roger Wicker (R-MS), and advanced passed a subcommittee on June 23 with a unanimous vote.

In a statement, Pallone, Rodgers, Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), and Subcommittee Ranking Member Gus Bilirakis (R-FL) said the markup of the bill is “another major step in putting people back in control of their data and strengthening our nation’s privacy and data security protections.”

GDPR-Like Federal Data Privacy and Protection Regulations

“This bill will protect consumers’ data privacy, digital security, and our kids online. The bipartisan comprehensive privacy bill will provide regulatory certainty for the business community, end discriminatory use of Americans’ data, promote innovation and protect small businesses, and hold companies to high standards of data security,” said Representatives Schakowsky and Bilirakis. “Consumers across the nation have longed-for deserve strong privacy protections in the digital world that we all increasingly inhabit. This legislation provides those protections.”

The ADPPA shares many provisions with state-level data privacy and protection laws, including the California Consumer Privacy Act (CCPA), and would generally preempt state privacy laws such and, in many respects, is equivalent to the EU’s General Data Protection Regulation (GDPR).

ADPPA-covered entities are any individuals or entities that collect, process, or transfer covered data and are subject to the jurisdiction of the Federal Trade Commission (FTC), are common carriers subject to the Communications Act of 1934, or are not organized to carry on business for their own profit or that of their members. That means that in contrast to state laws such as the CCPA, the bill applies to nonprofits and many small businesses. Government entities are exempt.

The ADPPA applies to “covered data,” which is “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual and may include derived data and unique identifiers.” The ADPPA will not apply to de-identified data, employee data, and publicly available information.

Requirements of the ADPPA

ADPPA-covered entities would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect covered data against unauthorized access and acquisition. Americans will be given rights over their personal data, such as the right to access their personal data that has been collected or processed by an ADPPA-covered entity, correct any errors in the data, have the data deleted, restrict certain uses of their data, have their personal data exported in human- and machine-readable format, and will have the right to an accounting of disclosures. A time frame of 30 or 60 days would be provided for meeting those requests, depending on the size of the covered entity

The ADPPA also has provisions for “sensitive covered data,” which is defined as “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.” Affirmative express consent would be required before an ADPPA-covered entity could collect and process sensitive covered data or transfer that information to a third party.

ADPPA-covered entities will be required to minimize the data collected, limits will be placed on the transfer of precise geolocation information, browsing history, and physical activity information collected from a smartphone or wearable device, and the collection, processing, or transferring of biometric information, known nonconsensual intimate images, or genetic information would be prohibited, apart from in limited circumstances.

The bill calls for privacy by design, and required policies and procedures to be implemented related to the collection, processing, and transfer of covered data, and ADPPA -covered entities would be required to make a privacy policy public that includes a detailed and accurate representation of the entity’s data collection, processing, and transfer activities. ADPPA-covered entities would be prevented from denying a service or product, conditioning a service or product, or setting the price of a service or a product based on an individual’s agreement to waive any privacy rights.

Implications for Healthcare Organizations

The ADPPA has implications for healthcare organizations and includes several provisions from the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations that are compliant with HIPAA (or entities compliant with FERPA, the Gramm-Leach-Bliley Act, and other laws) would be seen to be compliant with the ADPPA, but only with respect to the data covered by those laws. In healthcare, the ADPPA would apply to all covered data that is not regulated by HIPAA including healthcare data collected, processed, or transferred by non-HIPAA-covered entities.

Any covered entity that fails to ensure personal data is kept private and confidential or does not allow Americans to exercise their rights under the ADPPA, will be held to account, with compliance enforced by the FDA and state attorneys general. The bill also includes a private cause of action that will allow Americans to sue over violations, although this is not due to be implemented until four years after the effective date.

This is not the first attempt at introducing a federal data privacy and protection bill and it is unclear if the bill has sufficient support in its current form.

The post American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards appeared first on HIPAA Journal.

Meta Sued over the Scraping of Patient Data from Hospital Websites

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about.

The study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection and the tool was transmitting sensitive data such as patient conditions, which could be tied to the patients through their IP addresses. The study found no evidence that Meta had entered into a business associate agreement with the hospitals, nor that consent to share patient data with Meta was obtained from patients by the hospitals and healthcare systems that used Meta Pixel.

The lawsuit was filed on behalf of patient John Doe, who is a user of Facebook and a patient of Medstar Health System in Maryland. The plaintiff said he uses the patient portal for making appointments, communicating with providers, and reviewing lab test results, and did not consent to information being shared with Meta/Facebook. Medstar Health said all patient data is secured and it does not use any Facebook/Meta technologies on its website. According to the lawsuit, at least 664 healthcare systems in the United States have added the Meta Pixel tool to their websites, which sends sensitive data to Meta.

Meta states on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” However, the lawsuit claims, “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” The lawsuit alleges the use of the tool on hospital websites without obtaining consent is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as the data is collected without a business associate agreement. It should be noted that Meta/Facebook is not bound by HIPAA Rules; however, the hospitals that use the tool could be in violation of HIPAA for transferring the data without consent.

The lawsuit alleges a breach of the duty of good faith and fair dealing, and violations of federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act and Unfair Competition Law. The lawsuit seeks class action status, compensatory and punitive damages, and attorneys’ fees.

This is not the first lawsuit to be filed against Facebook over the collection of data from hospital websites. The same attorneys had a case against Facebook dismissed in 2018 – Smith et al v. Facebook – over the collection of browsing data from hospital websites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which ruled that the plaintiffs could not sue Facebook as they had agreed to Facebook’s contract terms.

A copy of the lawsuit was obtained by Reclaim the Net and is published here.

The post Meta Sued over the Scraping of Patient Data from Hospital Websites appeared first on HIPAA Journal.

May 2022 Healthcare Data Breach Report

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021.

May 2022 Healthcare Data Breaches

Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months.

Breached healthcare records in the past 12 months (May 2022)

Largest Healthcare Data Breaches Reported in May 2022

In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but Shields said hackers accessed its network and exfiltrated files containing patient data. The breach affected 2 million patients who received medical services at 52 facilities in New England.

Partnership HealthPlan of California also reported a major data breach, in this case, a ransomware attack. Hackers gained access to systems containing the records of 854,913 current and former health plan members. The Hive ransomware gang claimed responsibility for the attack and allegedly stole 400GB of data.

The number of eye care providers affected by a hacking incident at the electronic health record vendor Eye Care Leaders continued to grow throughout May (and June). While they are not all reflected in the May data, as of June 21, at least 23 eye care providers are known to have been affected, and the data breach has affected at least 2,187,383 patients.

Data Breaches of over 10,000 Records Reported in May 2022

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Hacking and data theft incident
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
SAC Health System CA Healthcare Provider 149,940 Theft No Theft of documents in break-in at storage facility
Aon PLC IL Business Associate 119,636 Hacking/IT Incident Yes Hacking and data theft incident
Parker-Hannifin Corporation Group Health Plans OH Health Plan 119,513 Hacking/IT Incident No Hacking and data theft incident
Heidell, Pittoni, Murphy & Bach, LLP NY Business Associate 114,979 Hacking/IT Incident Yes Ransomware attack
Schneck Medical Center IN Healthcare Provider 92,311 Hacking/IT Incident No Hacking and data theft incident
Alameda Health System CA Healthcare Provider 90,000 Hacking/IT Incident No Unauthorized access to email accounts
Val Verde Regional Medical Center TX Healthcare Provider 86,562 Hacking/IT Incident No Ransomware attack
NuLife Med, LLC NH Healthcare Provider 81,244 Hacking/IT Incident No Hacking and data theft incident
Comstar, LLC MA Business Associate 68,957 Hacking/IT Incident Yes Unspecified hacking incident
Shoreline Eye Group CT Healthcare Provider 57,047 Hacking/IT Incident Yes Eye Care Leaders hacking incident
AU Health GA Healthcare Provider 50,631 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Finkelstein Eye Associates IL Healthcare Provider 48,587 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Oklahoma City Indian Clinic OK Healthcare Provider 38,239 Hacking/IT Incident No Ransomware attack
Moyes Eye Center, PC MO Healthcare Provider 38,000 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Family Health Care, Inc KS Healthcare Provider 33,619 Hacking/IT Incident No Unspecified hacking incident
Allwell Behavioral Health Services OH Healthcare Provider 29,972 Hacking/IT Incident No Hacking and data theft incident
Creative Hospice Care, Inc. dba Homestead Hospice & Palliative Care GA Healthcare Provider 28,332 Hacking/IT Incident No Unauthorized access to email accounts
FPS Medical Center AZ Healthcare Provider 28,024 Hacking/IT Incident No Ransomware attack
Capsule NY Healthcare Provider 27,486 Hacking/IT Incident No Unauthorized access to user accounts
McKenzie Health System MI Healthcare Provider 25,318 Hacking/IT Incident No Hacking and data theft incident
Sylvester Eye Care OK Healthcare Provider 19,377 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Aesto, LLC d/b/a Aesto Health AL Business Associate 17,400 Hacking/IT Incident Yes Hacking and data theft incident
Vail Health Services CO Healthcare Provider 17,039 Hacking/IT Incident No Ransomware attack
Motion Picture Industry Health Plan CA Health Plan 16,838 Unauthorized Access/Disclosure No Mismailing incident
Bryan County Ambulance Authority OK Healthcare Provider 14,273 Hacking/IT Incident No Ransomware attack
Associated Ophthalmologists of Kansas City, P.C. MO Healthcare Provider 13,461 Hacking/IT Incident No Eye Care Leaders hacking incident
Allaire Healthcare Group NJ Healthcare Provider 13,148 Hacking/IT Incident No Unauthorized access to user accounts
EmblemHealth Plan, Inc. NY Health Plan 11,399 Unauthorized Access/Disclosure No Unconfirmed
Behavioral Health Partners of Metrowest, LLC MA Business Associate 11,288 Hacking/IT Incident Yes Hacking and data theft incident

Causes of May 2022 Healthcare Data Breaches

Hacking incidents continue to be reported in high numbers in May, with 53 (75.7%) of the month’s data breaches classed as hacking or other IT incidents. That represents a 77% increase in incidents compared to April. Those incidents accounted for 95.5% of the records breached in May (4,212,721 records), which is more than twice the number of records exposed in hacking incidents in April. The average breach size was 79,485 records and the median breach size was 13,148 records.

There were 13 unauthorized access/disclosure incidents reported in May – a slight increase from April. Across those incidents, 43,807 records were impermissibly disclosed. The average breach size was 3,370 records and the median breach size was 1,196 records.

There were three theft incidents reported and one incident involving the loss of paper/films. These breaches involved a total of 154,010 records, with an average breach size of 35,503 records and a median breach size of 1,771 records.

Causes of May 2022 Healthcare Data Breaches

With so many hacking incidents, it is unsurprising that 31 of the month’s data breaches involved protected health information stored on network servers. The high number of breaches of electronic health records was due to the cyberattack on Eye Care Leaders. As the chart below shows, email account breaches were reported in high numbers in May, 70% more incidents than in April. While security awareness training for the workforce and multi-factor authentication will not prevent all email data breaches, they can significantly improve protection.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the hardest hit HIPAA-covered entity type in May, with 49 reported breaches. There were 11 data breaches reported by health plans, and business associates of HIPAA-covered entities reported 10 breaches; however, 8 data breaches occurred at business associates but were reported by the covered entity. The data breaches detailed in the chart below reflect where the data breach occurred.

May 2022 Healthcare data breaches by HIPAA regulated entity

Healthcare providers suffered the highest number of data breaches, but business associates topped the list in terms of the number of exposed healthcare records.

HIPAA-Regulated Entity

Number of Reported Data Breaches Total Records Exposed

Business Associate

18

2,554,789

Health Plan

10

1,014,150

Healthcare Provider 42

841,599

May 2022 Healthcare Data Breaches by State

Data breaches of 500 or more healthcare records were reported by HIPAA-regulated entities in 29 states. California was the worst affected state with 8 large healthcare data breaches reported, followed by New York with 6 reported breaches.

State No. Reported Data Breaches
California 8
New York 6
Georgia, Missouri & Ohio 4
Alabama, Illinois, Massachusetts, North Carolina, Oklahoma & Texas 3
Arizona, Connecticut, Florida, Maryland, Michigan, New Hampshire, Virginia & Washington 2
Colorado, Indiana, Kansas, Minnesota, Mississippi, Montana, New Jersey, Nevada, Tennessee & Wisconsin 1

HIPAA Enforcement Activity in May 2022

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights or state Attorneys General in May. So far this year, 4 financial penalties totaling $170,000 have been imposed by OCR to resolve HIPAA violations.

The post May 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has published guidance for healthcare organizations to help them improve their cyber posture. Cyber posture is the term given for the overall strength of an organization’s cybersecurity, protocols for predicting and preventing cyber threats, and the ability to continue to operate while responding to cyber threats.

To comply with the HIPAA Security Rule, organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, and reduce risks to a low and acceptable level.

Technical safeguards will help to keep ePHI private and confidential and will ensure ePHI can be recovered in the event of a destructive cyberattack. A robust cybersecurity program can help to limit the damage caused in the event of an attack, can prevent the theft of sensitive information such as ePHI and intellectual property, limit the potential for misuse of patient data, and will help to improve customer confidence.

HC3 details several steps that can be taken to improve cyber posture such as conducting regular security posture assessments, consistently monitoring networks and software for vulnerabilities, defining which departments own risks and assigning managers to specific risks, regularly analyzing gaps in security controls, defining key security metrics, and creating incident response and disaster recovery plans.

HC3 also recommends following the cybersecurity best practices detailed in CISA Insights for protecting against cyber threats. These best practices can help to reduce the likelihood of a damaging cyber intrusion occurring, will help organizations rapidly detect attacks in progress, will make it easier to conduct an efficient breach response, and maximize organizations’ resilience to destructive cyberattacks.

HC3 draws attention to the security risk assessment, which is an aspect of HIPAA Security Rule compliance that has been problematic for many healthcare organizations. The security risk assessment is concerned with identifying threat sources, threat events, and vulnerabilities, determining the likelihood of exploitation and the probable impact, and calculating risk as a combination of likelihood and impact.

Healthcare organizations can then use the information provided by risk assessments to prioritize risk management. The Office for Civil Rights has recently released a new version of its Security Risk Assessment Tool, which can help small- and medium-sized healthcare organizations with their security risk assessments.

The post HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture appeared first on HIPAA Journal.

Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that come into contact with protected health information (PHI) are required to ensure policies, processes, and people are compliant with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Ensuring you have a good security posture is an important part of HIPAA compliance. The HIPAA Security Rule requires HIPAA-regulated entities to have appropriate safeguards in place to ensure the confidentiality, integrity, and availability of ePHI, and to manage risks to protected health information and reduce them to a low and acceptable level.

Ensuring you have a good security posture has never been more important. Cyber threat actors have stepped up their attacks on the healthcare industry and data breaches are occurring at record levels. Further, following the ‘Safe Harbor’ update to the HITECH Act, if you are able to demonstrate you have implemented recognized security practices, you will be protected against fines, sanctions, and extensive audits and investigations by the HHS’ Office for Civil Rights.

To help you on your compliance journey and with your security efforts, Compliancy Group is hosting a webinar that will explain the ins and outs of compliance and cybersecurity, and why both are necessary for patient privacy and your practice’s security.

During the webinar, Compliancy Group will explain how HIPAA compliance can be simplified, you will be walked through the regulation, and will be provided with actionable tips that you can implement within your practice today.

 3 learning objectives of the webinar:

  1. Why compliance and security are BOTH required for HIPAA compliance.
  2. How HIPAA and security help protect your patients.
  3. What you can implement in your practice now to avoid breaches and fines.

Webinar Details:

Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Wednesday, July 20, 2022

11:00 a.m. PT ¦ 2:00 p.m. ET

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant appeared first on HIPAA Journal.

Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook

An analysis of hospitals’ websites has revealed one-third of the top 100 hospitals in the United States are sending patient data to Facebook via a tracker called Meta Pixel, without apparently obtaining consent from patients.

Meta Pixel is a snippet of JavaScript code that is used to track visitor activity on a website. According to Meta, “It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze [the] effectiveness of your website’s conversion funnels.”

Meta Pixel can collect a variety of data, including information about the buttons clicked and the pages visited by clicking those buttons, and the data collected is linked to the individual by their IP address, which identifies the device that the visitor is using. That information is then automatically sent to Facebook. On a hospital website, the tracker could collect a user’s IP address and link it to sensitive information, such as if that individual had clicked to make an appointment.

The analysis was conducted by The Markup and the report was co-published by STAT. The Markup found that Meta Pixel tracking was present on a third of hospitals’ appointment scheduling pages. In one example – University Hospitals Cleveland Medical Center – the researchers found that when a visitor clicks on the ‘Schedule Online’ button on a doctor’s page, Meta Pixel sent the text of the button to Meta, along with the doctor’s name and the search term, which for that patient was pregnancy termination. It was a similar story with several other websites, which sent information taken from the selection made from dropdown menus, which provided information about the patient’s condition – Alzheimer’s disease for example.

Even more concerning is that for 7 hospital systems, Meta Pixel was installed inside password-protected patient portals. The researchers found that five of those hospital systems were sending data to Meta about real patients who volunteered to participate in the Pixel Hunt project, which was jointly run by the Markup and Mozilla Rally. Participation in that project involved allowing data to be sent to The Markup about the sites they visited, which revealed the data being sent to Meta included patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

The Markup said there did not appear to be any business associate agreements between the hospitals and Meta that would allow the data sharing under the HIPAA Rules, and express consent from patients authorizing the sharing of data with Meta did not appear to have been obtained, suggesting potential HIPAA violations.

The 7 health systems were Community Health Network, Edward-Elmhurst Health, FastMed, Novant Health, Piedmont, Renown Health, and WakeMed. All but FastMed and Renown Health had removed the Meta Pixel after being informed about the data transfer by The Markup at the time of publication of the report, along with 6 hospitals out of the 33 that were identified as having the Meta Pixel on their appointment booking pages.

The Markup said in its report that the 33 hospitals that had Meta Pixel on their appointment pages have collectively reported more than 26 million patient admissions and outpatient visits in 2020, and this study was only limited to the top 100 hospitals. Many others may also be passing data to Facebook through Meta Pixel.

The Markup said it was unable to determine how Meta/Facebook used the data transferred through Meta Pixel, such as for providing targeted adverts. Meta spokesperson, Dale Hogan, issued a statement in response to the findings of the study. “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems.”

The post Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook appeared first on HIPAA Journal.