John Doe, a Facebook user and a Medstar Health System patient from Maryland, has sued Meta (the parent company of Facebook) for scraping protected health information. The social media giant allegedly collects highly sensitive data of patients who use the Meta Pixel tool on their websites. It has violated the HIPAA privacy rule and concerned millions of people.
What is the Point of Meta Sued?
“It works by loading a small library of functions which you can use whenever a site visitor takes an action that you want to track. Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze the effectiveness of your website’s conversion funnels.”Meta explains its policy.
Despite the fact that Meta is not a HIPAA-covered entity, it would need to have a HIPAA business associate agreement (BAA) in place in order to handle PHI in compliance with HIPAA. Meta warns on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” Facebook is accused of a lack of PHI protection and actions to enforce or validate its requirement. HIPAA rules prohibit using of the tool on hospital websites without obtaining consent. So, the social media platform is not bound to HIPAA compliance, but the hospitals that use the Meta Pixel tool on their websites may commit HIPAA violations because of transferring the sensible information without consent.
Legal Requirements Of Meta Lawsuit
The main point of the HIPAA breach committed by Meta is scrapping the protected health information of millions of patients. It violates the contract and duty of good faith and fair dealing as well as federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act, and Unfair Competition Law. The lawsuit seeks class-action status, compensatory and punitive damages, and attorneys’ fees.
This is not the first time when Facebook has been accused of such violations. Similar lawsuits were informed in 2016, 2018, and 2019. The Federal Trade Commission (FTC) led the Meta company to file a Department of Justice complaint with similar allegations: “Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.”
Therefore, you need to be sure that you follow all requirements of HIPAA compliance in order to avoid large fines or HIPAA corrective action plan. Subscribe to our blog and be on top of HIPAA compliance.