By Jeff Wardon, Jr., Assistant Editor

Mount Sinai Health System has agreed to a $5.3 million settlement to resolve claims it improperly shared patient data with Facebook through tracking tools on its website and MyChart portal between 2020 and 2023, The HIPAA Journal reports. The lawsuit alleged violations of federal and state privacy laws, including the Electronic Communications Privacy Act (ECPA), as well as negligence and breach of contract. Mount Sinai denied wrongdoing and maintained no medical information was shared. 

While Mount Sinai has denied wrongdoing, the case underscores how inadvertent tech decisions can trigger legal and financial consequences. Tools such as Facebook Pixel, Google Analytics or other trackers can silently capture data from patient portals and hospital websites. If that data relates to a person’s health or care, it may be protected under HIPAA. Even beyond HIPAA, the ECPA can come into play, since it prohibits the unauthorized sharing of electronic communications. 

Essentially, HIPAA governs how patient data should be handled, but the ECPA provides the legal teeth for patients to sue if their electronic health communications are intercepted or disclosed without their consent. 

Related Content: Hospital Websites Too Often Share User Data with Third Parties: Study

Additionally, even though this seems like an isolated IT issue, it does matter for facilities managers. 

Facilities managers oversee operational systems that directly impact compliance and the patient experience. Patient portals, websites and digital touchpoints often fall in a gray area between IT, legal and operations. Facilities managers need to see what’s going on here to have a better grasp on the situation. 

Here’s what healthcare facilities managers can do to address these issues: 

• Vet digital tools: Make sure that websites, kiosks and portals are free from unapproved third-party trackers, according to the U.S. Department of Health and Human Services (HHS). 
• Cross-departmental collaboration: Work with IT, compliance and legal to map how and where data flows, according to Dentons On Call. 
• Policy and training: Facilities teams must understand what’s being collected, where it goes and whether it aligns with patient consent, according to the HHS. 
• Vendor management: Ensure that outside vendors supplying software or portals meet compliance requirements, according to Clark Hill. 

Mount Sinai’s case serves as a reminder that protecting patient data is not just an IT function, but an organizational responsibility. Facilities managers who stay proactive can help prevent costly legal battles and maintain the trust patients place in their healthcare providers. 

Jeff Wardon, Jr., is the assistant editor of the facilities market.