Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Is Browsing Facebook While in the Hospital a HIPAA Violation?

2 min read
Last updated March 10, 2023

A recently filed federal class-action suit claims that several healthcare providers are violating HIPAA’s rules on protected health information (PHI). If the suit succeeds, privacy advocates say it has the potential to disrupt the way the ad targeting industry deals with the healthcare sector.

To really understand what’s going on, you’ll need some background on HIPAA.

Get the Free Essential Guide to US Data Protection Compliance and Regulations


HIPAA Privacy and Authorization

According to HIPAA’s Privacy Rule, covered entities – healthcare providers, insurers, and clearinghouses—require patients to give explicit authorization (as in ‘check box to approve PHI transfer to third-party’ in an online form) for their PHI to be used outside of a few very specific areas (payment, treatment, healthcare operations ).

PHI for marketing purposes definitely requires the covered entity to get authorization.

Hospitals, Patients, and Facebook

Suppose you’re a hospital patient waiting (and waiting) to see your doctor, and browsing the hospital website on your laptop looking for answers to a medical question. And let’s assume the hospital website also has a Facebook plugin that supports “like”.

As an active Facebook user, you are also keeping friends informed of your medical adventure.

Unbeknownst to you, URLs are being sent back to Facebook based on your hospital website browsing. The Facebook cookies on your laptop adds identifier information that lets Facebook then target information to its subscribers.

So as you’re lying in bed looking at friends’ Facebook status updates while dealing with amazing amounts of pain, you might be served up an ad about, say morphine drips, which are based on browsing the pain management section of the hospital website.

Of course, this is a huge part of the way Facebook makes its money. And this is what the suit is alleging took place with the hospitals and healthcare organizations that were named: webpages with Facebook plugins were sending browsing histories back to the FB mothership.

So What’s the Problem?

Another crucial fact: PHI covers more than a name, address, and other obvious identifiers.

While the healthcare organizations  in the suit are not sending classic identifiers, they are potentially providing URLs, IP addresses and sub state-level geo data back to FB.

According to HIPAA, these would qualify as PHI — based on the Department of Health and Human Services’ 18 element safe harbor list. And therefore, it would require patient authorization, which the websites did not request from users.

We’ve written previously about the broad definition of identifiable data used by HIPAA. In this case, these providers seemed to have been caught in the PHI’s very wide net.

In short: PHI is being sent from these websites to Facebook without patient permission. A big HIPAA violation.

Legal Questions

As a non-lawyer, this suit does raise an issue or two for me.

If you’re not a patient of a healthcare provider but use the site anyway, are you covered by HIPAA?

One argument I read is that if a hospital is a covered entity in the context of a patient-provider relationship, they’re a covered entity in all contexts, including the more typical user-website relationship.

So it doesn’t matter that you’re not a patient when browsing a hospital website: HIPAA would still apply!

The suit essentially says a hospital website can’t take online user information and send it to an ad network without violating HIPAA. If this claim is proven right, it will have enormous implications for the use of health and possibly non-health data by ad networks.

Facebook is clearly not a covered entity, so what did they do wrong?

The class-action suit says that Facebook violated state laws on health information, and — get this! — the federal Wiretap Act.

There’s a California law, for example, that requires explicit consent for health information to be sent to third parties. And if we use the broad PHI definition of identifiers, then Facebook could have violated that state’s law.

And the Wiretap law may kick in when you collect information over the Intertoobz without authorization. To me, though, this last one seems a bit of a — ahem — legal stretch.

This law suit is being closely watched by privacy pros. We’ll keep you posted if we hear anything new.

Confused by HIPAA? Then take our five-part email  HIPAA class. and soar like a legal eagle (or at least be able to answer a few legally related HIPAA questions).

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Speed Data: The Principles of GRC With Hannah DeWane
Hannah DeWane at Varonis shares her day-to-day world of security audits and the wonderful world of risk management.
Cybersecurity Maturation Model Certification 2.0: How Varonis Ensures Certification for Defense Contractors
Varonis can help you achieve compliance and implement the Cybersecurity Maturity Model Certification 2.0 (CMMC) program to safeguard cybersecurity across the government’s DIB.
Meta's $1.3B Fine: What can Happen if you Don’t Monitor Your PII
Continuous discovery and data monitoring critical to identify misplaced PII.
HIPAA Compliance: Your Complete 2023 Checklist
Is your organization ready to comply with 2023 HIPAA updates and changes? Ensure HIPAA compliance with your comprehensive 2023 checklist.