University of Iowa Hospitals and Clinics Sued for Unlawful Disclosures of PHI to Facebook
A lawsuit has been filed in the U.S. District Court for the Southern District of Iowa that alleges University of Iowa Hospitals and Clinics (UIHC) unlawfully, negligently, and recklessly disclosed patients’ private information to Facebook, without obtaining patient consent.
HIPAA_regulated entities are facing increased scrutiny of their website practices following the discovery of widespread use of website tracking code, often referred to as pixels, for monitoring website visitor activity. The snippets of code record information about website and app activity that is tied to individual users. The information gathered can be used to improve the user experience, but the information collected is often transferred to the providers of the code. A study that was recently published in Health Affairs found 98.6% of nonfederal acute care hospital websites in the United States had tracking pixels on their websites, which collected and transferred sensitive data to Meta (Facebook), Google, and other third parties. The information transmitted could be used for a variety of purposes, such as serving targeted advertisements based on specific medical conditions researched or disclosed on healthcare providers’ websites.
The extent to which patient privacy was being violated prompted the HHS’ Office for Civil Rights to issue guidance in 2022 on the use of website tracking code, and this year OCR Director Melanie Fontes Rainer confirmed that these unauthorized disclosures of PHI are now an enforcement priority for OCR. Lawyers have also been quick to take action, with more than 50 lawsuits already filed against healthcare entities over the use of these tracking tools.
The UIHC lawsuit – Yeisley v. University of Iowa Hospitals & Clinics – was filed on behalf of plaintiff Eileen Yeisley and similarly situated individuals. The lawsuit claims UIHC manages or controls two websites that are used for booking appointments, locating treatment facilities and physicians, and registering patients for events and classes. The lawsuit alleges UIHC intentionally included a Facebook pixel on both of those websites that shared visitor activity with Facebook and linked that information to individuals’ personal Facebook accounts. The lawsuit also alleges UIHC installed a Facebook conversion application programming interface (API) on the websites, which works independently of the pixel and allows additional disclosures of protected health information (PHI) to Facebook.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
The use of these code snippets results in the sensitive data of patients and prospective patients being sent to Facebook without their consent or knowledge and that information can then be sold by Facebook to third parties to allow individuals to be targeted with advertisements specific to medical conditions disclosed or researched on the websites. The lawsuit claims that the code was added by UIHC to boost profits and includes evidence – screenshots – that shows the source code of UIHC websites includes the Facebook code snippets.
OCR confirmed in its guidance that these disclosures of PHI are generally not permitted by the HIPAA Privacy Rule, and warrant notifications under the HIPAA Breach Notification Rule. Several healthcare providers have reported breaches of PHI due to tracking code to OCR, but UIHC has yet to issue breach notifications. University of Iowa Health has issued a statement in response to the allegations, “University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook. We will review the lawsuit once received.”
The lawsuit alleges negligence, invasion of privacy, unjust enrichment breach of confidence, and violations of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act and seeks class action status, equitable and injunctive relief, and an order from the court to prevent UIHC from engaging in this activity in the future. The lawsuit also seeks an award of damages, including actual, consequential, punitive, and nominal damages.
