College of Iowa Hospitals and Clinics Sued for Illegal Disclosures of PHI to Fb

Posted By HIPAA Journal on Could 10, 2023

A lawsuit has been filed within the U.S. District Courtroom for the Southern District of Iowa that alleges College of Iowa Hospitals and Clinics (UIHC) unlawfully, negligently, and recklessly disclosed sufferers’ non-public data to Fb, with out acquiring affected person consent.

HIPAA_regulated entities are going through elevated scrutiny of their web site practices following the invention of widespread use of web site monitoring code, sometimes called pixels, for monitoring web site customer exercise. The snippets of code document details about web site and app exercise that’s tied to particular person customers. The knowledge gathered can be utilized to enhance the person expertise, however the data collected is usually transferred to the suppliers of the code. A research that was lately printed in Well being Affairs discovered 98.6% of nonfederal acute care hospital web sites in america had monitoring pixels on their web sites, which collected and transferred delicate knowledge to Meta (Fb), Google, and different third events. The knowledge transmitted might be used for quite a lot of functions, reminiscent of serving focused commercials based mostly on particular medical circumstances researched or disclosed on healthcare suppliers’ web sites.

The extent to which affected person privateness was being violated prompted the HHS’ Workplace for Civil Rights to challenge steerage in 2022 on the usage of web site monitoring code, and this yr OCR Director Melanie Fontes Rainer confirmed that these unauthorized disclosures of PHI are actually an enforcement precedence for OCR. Attorneys have additionally been fast to take motion, with greater than 50 lawsuits already filed in opposition to healthcare entities over the usage of these monitoring instruments.

The UIHC lawsuit – Yeisley v. College of Iowa Hospitals & Clinics – was filed on behalf of plaintiff Eileen Yeisley and equally located people. The lawsuit claims UIHC manages or controls two web sites which can be used for reserving appointments, finding remedy services and physicians, and registering sufferers for occasions and courses. The lawsuit alleges UIHC deliberately included a Fb pixel on each of these web sites that shared customer exercise with Fb and linked that data to people’ private Fb accounts. The lawsuit additionally alleges UIHC put in a Fb conversion utility programming interface (API) on the web sites, which works independently of the pixel and permits extra disclosures of protected well being data (PHI) to Fb.

The usage of these code snippets ends in the delicate knowledge of sufferers and potential sufferers being despatched to Fb with out their consent or information and that data can then be offered by Fb to 3rd events to permit people to be focused with commercials particular to medical circumstances disclosed or researched on the web sites. The lawsuit claims that the code was added by UIHC to spice up earnings and consists of proof – screenshots – that reveals the supply code of UIHC web sites consists of the Fb code snippets.

OCR confirmed in its steerage that these disclosures of PHI are typically not permitted by the HIPAA Privateness Rule, and warrant notifications beneath the HIPAA Breach Notification Rule. A number of healthcare suppliers have reported breaches of PHI as a consequence of monitoring code to OCR, however UIHC has but to challenge breach notifications. College of Iowa Well being has issued a press release in response to the allegations, “College of Iowa Well being Care is dedicated to defending affected person privateness. We don’t share protected well being data of our sufferers with Meta or Fb. We are going to assessment the lawsuit as soon as obtained.”

The lawsuit alleges negligence, invasion of privateness, unjust enrichment breach of confidence, and violations of the Laptop Fraud and Abuse Act and the Digital Communications Privateness Act and seeks class motion standing, equitable and injunctive reduction, and an order from the court docket to forestall UIHC from participating on this exercise sooner or later. The lawsuit additionally seeks an award of damages, together with precise, consequential, punitive, and nominal damages.