Judge Rejects Injunction Prohibiting Meta from Accumulating Patient Information through Meta Pixel Code

Plaintiffs in a consolidated class action lawsuit against Meta lately sought an injunction versus Meta to make the company discontinue accumulating and transmitting information gathered from the sites of healthcare companies via Meta Pixel tracking code.

The plaintiffs state that using Meta Pixel code on appointment booking pages and patient sites enables sensitive data, which includes patient communications, to be gathered and monetized by Meta, which breaks federal and state privacy legislation. William Orrick, U.S. District Judge for the Northern District of California, recently released a ruling dismissing the injunction.


Last summer, The Markup carried out an investigation regarding using tracking technologies for example Meta Pixel on the webpages of healthcare organizations and discovered that 33% of the 100 leading hospitals in America got the code on their web pages, a few of which had put in the code to their patient websites. Meta Pixel could gather any data in HTTP headers, button click information, and form field names. That code was known to be transferring patient information to Meta even though Meta had not signed a business associate agreement with the healthcare providers.

In the past couple of months, Advocate Aurora Health, Community Health Network, Novant Health, and WakeMed Health and Hospitals have all filed a report of impermissible disclosures of patients’ sensitive data to OCR because of utilizing Meta Pixel as well as other tracking code on their sites. A number of lawsuits were likewise filed against Meta and healthcare companies about the usage of Meta Pixel code and the impermissible sharing of the information of Facebook users, which the lawsuits assert is being utilized for promotional purposes with no permission.

The Department of Health and Human Services Office for Civil Rights has just affirmed that the usage of tracking codes on websites is not permitted with the HIPAA Privacy Rule whenever those technologies gather and send protected health information (PHI) except if the vendor of the tracking technology is entitled as a business associate and there is a business associate agreement is signed or if HIPAA-compliant patient consent is acquired.

Meta has contended that it has a guideline set up that restricts the data businesses may disclose via Meta Pixel, and systems are set up that filter out sensitive information to make sure the data isn’t transferred to marketers by means of its ads ranking and optimization programs. Meta additionally states that any injunction that demands the business to quit gathering healthcare details would be unfairly troublesome and technologically not practical.

The accusations against Meta are bothersome: plaintiffs bring up likely strong statements on the worth and their claimed injury will be permanent when confirmed, stated Judge Orrick in his decision. To acquire a mandatory injunction, plaintiffs must demonstrate that the law and facts plainly prefer their position, not just that they are probable to be successful.

Orrick revealed that Meta has offered proof that the company is doing everything it can to reduce the difficulties brought up by the plaintiffs, and that according to the available data it is unsure where the fact lies. Orrick stated it is essential for the discovery to make clear the extent of the problems and the possible options that could be applied to deal with them. Judge Orrick mentioned that it is too soon to know that the public interest sustains a compulsory injunction.

About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA