The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

University of Iowa Hospitals and Clinics Sued for Unlawful Disclosures of PHI to Facebook

A lawsuit has been filed in the U.S. District Court for the Southern District of Iowa that alleges University of Iowa Hospitals and Clinics (UIHC) unlawfully, negligently, and recklessly disclosed patients’ private information to Facebook, without obtaining patient consent.

HIPAA_regulated entities are facing increased scrutiny of their website practices following the discovery of widespread use of website tracking code, often referred to as pixels, for monitoring website visitor activity. The snippets of code record information about website and app activity that is tied to individual users. The information gathered can be used to improve the user experience, but the information collected is often transferred to the providers of the code. A study that was recently published in Health Affairs found 98.6% of nonfederal acute care hospital websites in the United States had tracking pixels on their websites, which collected and transferred sensitive data to Meta (Facebook), Google, and other third parties. The information transmitted could be used for a variety of purposes, such as serving targeted advertisements based on specific medical conditions researched or disclosed on healthcare providers’ websites.

The extent to which patient privacy was being violated prompted the HHS’ Office for Civil Rights to issue guidance in 2022 on the use of website tracking code, and this year OCR Director Melanie Fontes Rainer confirmed that these unauthorized disclosures of PHI are now an enforcement priority for OCR. Lawyers have also been quick to take action, with more than 50 lawsuits already filed against healthcare entities over the use of these tracking tools.

The UIHC lawsuit – Yeisley v. University of Iowa Hospitals & Clinics – was filed on behalf of plaintiff Eileen Yeisley and similarly situated individuals. The lawsuit claims UIHC manages or controls two websites that are used for booking appointments, locating treatment facilities and physicians, and registering patients for events and classes. The lawsuit alleges UIHC intentionally included a Facebook pixel on both of those websites that shared visitor activity with Facebook and linked that information to individuals’ personal Facebook accounts. The lawsuit also alleges UIHC installed a Facebook conversion application programming interface (API) on the websites, which works independently of the pixel and allows additional disclosures of protected health information (PHI) to Facebook.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

The use of these code snippets results in the sensitive data of patients and prospective patients being sent to Facebook without their consent or knowledge and that information can then be sold by Facebook to third parties to allow individuals to be targeted with advertisements specific to medical conditions disclosed or researched on the websites. The lawsuit claims that the code was added by UIHC to boost profits and includes evidence – screenshots – that shows the source code of UIHC websites includes the Facebook code snippets.

OCR confirmed in its guidance that these disclosures of PHI are generally not permitted by the HIPAA Privacy Rule, and warrant notifications under the HIPAA Breach Notification Rule. Several healthcare providers have reported breaches of PHI due to tracking code to OCR, but UIHC has yet to issue breach notifications. University of Iowa Health has issued a statement in response to the allegations, “University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook. We will review the lawsuit once received.”

The lawsuit alleges negligence, invasion of privacy, unjust enrichment breach of confidence, and violations of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act and seeks class action status, equitable and injunctive relief, and an order from the court to prevent UIHC from engaging in this activity in the future. The lawsuit also seeks an award of damages, including actual, consequential, punitive, and nominal damages.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist