Hospitals may have to step up their game to protect user information on their websites, given the recent attention to the largely unregulated universe of third-party data transfers.
About 98 percent of all acute care US hospitals use tracking software that captures data pertaining to patient visits, according to a study published this year in Health Affairs. But this practice allows third parties not subject to federal privacy laws to browse people’s internet behavior, get access to sensitive health information, and potentially monetize it.
“Hospital websites transfer data to numerous third parties, including some of the largest technology and social media companies, advertising firms, and data brokers,” the study’s authors wrote.
Tracking entities differ greatly in their user policies, business models, and willingness to profile and resell data. But as more entities receive user data, the more potential there is for misuse of that data, says Ari B. Friedman, MD, PhD, the study’s lead author.
Hospitals should check their website privacy under the purview of their privacy officers, “and view it with the same sophistication they review adding new devices and software to their health system,” says Friedman, an assistant professor of emergency medicine at the University of Pennsylvania.
Automated Tool Tracks Data Transfers
Website managers often install third-party tracking codes, pixels, or cookies to optimize advertisement campaign monitoring or social media linkage. The little pieces of code record any visitor interactions with the website, sometimes sending the information back to the third-party operator, explains Cobun Zweifel-Keegan, CIPP/US, CIPM, managing director of the International Association of Privacy Professionals in Washington, DC.
Health systems may not fully understand the privacy implications of such coding, which allows these third parties not subject to the Health Insurance Portability and Accountability Act (HIPAA) to observe browsing patterns, Friedman and his colleagues from the University of Pennsylvania and Carnegie Mellon University note in the Health Affairs study.
Their prospective study evaluated the prevalence and quantity of third-party tracking on the websites of 3,747 nonfederal, acute care hospitals with an emergency department. This excluded ambulatory surgery centers or freestanding long-term care facilities. They obtained demographics on the hospitals themselves, and their patient populations, using 2019 data from the Census Bureau’s American Community Survey (ACS) and American Hospital Association (AHA) Annual Survey.
Over a three-day period in 2021, an open-source, automated tool called WebXray recorded any data requests that led to third-party data transfers. The WebXray data linked tracking domains to parent companies such as Alphabet, which owns Google. To track visitors across the internet, investigators recorded persistent identifiers or cookies stored on browsers.
Third-party Tracking Is Rampant on Websites
Friedman and colleagues reported “ubiquitous and extensive” third-party tracking across these websites, which on average initiated 16 third-party data transfers. The study found that 98 percent of the hospitals used at least one third-party transfer and 94 percent had at least one third-party cookie.
Institutions most likely to expose visitors to third-party data transfers included hospitals that belonged to a health system, were affiliated with a medical school, or served more urban patient populations. While the cause of this warrants further study, it’s possible that these types of hospitals might be using more features and third-party functionality on their websites, such as Google Maps, according to the study.
“Alternatively, these hospitals may engage in higher levels of online advertising to drive revenues, and the third-party tracking is a consequence of the perceived need to monitor these adverting campaigns by installing tracking tools,” the investigators suggested.
Alphabet/Google was the most common third-party entity (98.5 percent of websites) followed by Meta/Facebook (55.6 percent) and Adobe Systems (31.4 percent). Other tracking entities included AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.
Other research has highlighted the problem of healthcare data tracking. In 2022, an investigation of Newsweek’s top 100 hospitals by STAT and The MarkUp found that 33 transferred data to Facebook. A 2021 study that analyzed third-party tracking on 61 hospital websites determined that 90 percent had at least one third-party cookie.
How User Data Is Targeted for Ads
Third-party tracking codes facilitate profiling patients by third parties, the Health Affairs study researchers cautioned.
“These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals,” they summarized.
When users visit a website, the tracker sends the information through Meta’s pixel to Meta, for example. “Depending on how that's configured on the website, Meta may be able to use that for third-party targeting for the whole ad ecosystem that creates targeted ads around the web,” says Zweifel-Keegan.
A first-party website such as a hospital can upload a list of internal protocol (IP) addresses, email addresses, or unique device ID numbers to a company like Meta, for example. The party may not know who the website visitors are. However, Meta can match the pieces of information from the embedded trackers with other information it already has. “Thus, Meta enables the first party to directly target those people through Meta,” says Zweifel-Keegan.
Meta can then provide specific advertising for health-related products and services on a user's Facebook or Instagram feed.
Third-party tracking technologies may also enable a hospital or a healthcare company to “retarget” users. Retargeting does not require plugging in to the entire ad-tech ecosystem. Instead, the company directly targets and markets to existing customers or users who have already visited the website.
Enforcement Actions Send Warning to Companies
The reality is almost all websites use these technologies, says Zweifel-Keegan. “The question is just how they should be used in the online healthcare context,” given the large number of organizations that have health-related personal information, he says.
Enforcement actions against third-party tracking are relatively new. During the past year, agencies such as the Department of Health and Human Services (HHS) and Federal Trade Commission (FTC) have turned their attention to covered healthcare entities.
Earlier this year, the FTC, which recently strengthened its Health Breach Notification Rule, penalized two healthcare companies for violating the rule by sharing sensitive health information with third parties for advertising purposes.
Digital health platform GoodRx Holdings Inc. paid a $1.5 million civil penalty for failing to inform consumers about unauthorized disclosures of personal health information to Facebook, Google, and other companies. The FTC also required BetterHelp, Inc., which offers online counseling services, to pay $7.8 million for disclosing consumers’ email and IP addresses and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest.
The FTC has prohibited either company from sharing user health data with third parties for advertising.
“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
What matters to regulators is the potential, however small, that health-related information transmitted to an advertising platform could be viewed by that platform along with personal information about the user, Zweifel-Keegan says.
“In the FTC cases, this risk was made real by the fact that the companies configured the third-party tracker in such a way that the data they uploaded to the platform included the names of the healthcare conditions,” he adds.
A 2021 lawsuit involving Massachusetts General Hospital, Brigham and Women’s Hospital, Dana Farber Cancer Institute, and other providers offers a cautionary tale to hospitals. The hospitals agreed to an $18 million settlement with a group of plaintiffs who alleged they had violated their privacy by sharing website user data with third parties without consent. No damages, injuries, or data breaches resulted from the plaintiffs visiting the websites.
Federal agencies have taken several actions to alert companies of the privacy and security risks of online tracking technology.
HHS’ Office for Civil Rights (OCR) recently clarified that the HIPAA Privacy Rule does not permit the use of tracking technologies on websites and apps unless the third parties receiving protected health information are legitimate business associates that have signed a business associate agreement.
In July, the OCR and FTC warned of the repercussions and legal ramifications of online tracking technologies in a joint letter to 130 companies. The way these technologies gather identifiable information is largely unknown to website or app users, the letter stated.
“Impermissible disclosures of an individual’s personal health information to third parties may result in a wide range of harms to an individual or others,” violating HIPAA, as well as the FTC Act and FTC Health Breach Notification Rule, wrote the FTC’s Levine and OCR Director Melanie Fontes Rainer.
Ideally, Congress should approve comprehensive privacy legislation in the United States, but that hasn't happened yet, says Friedman. The OCR guidance advising hospitals that websites should be considered under HIPAA protection is a huge step forward and uses existing law. Additionally, the joint OCR/FTC letters will hopefully bring more action, he adds.
How Culpable Are Hospitals?
Friedman and his co-authors were quick to point out that the hospitals they studied likely were not deliberately trying to harm patients.
“Our working hypothesis is that hospitals are deeply devoted to protecting their patients’ privacy, but that they were not aware of the scope of the problem of web tracking,” Friedman says. It’s likely that most of the tracking found its way to websites because the web administrator was looking for specific functionality without considering the overall mission and policies of the hospital, he says.
This can happen if the hospital marketing teams or website managers aren’t aware of what the new federal requirements are, says Zweifel-Keegan. “For example, if the hospital doesn't have a privacy officer, or if the privacy officer isn't involved in those kinds of decisions, they may be configuring their websites and allowing this sort of behavior to continue.”
Another possibility is they’re just not making the auditing of third-party tracking a priority, says Jay Hodes, president of Virginia-based Colington Consulting, which provides HIPAA consulting services for healthcare providers and business associates. “My sense is I don’t think a lot of small- to mid-size organizations put a lot of stock in ensuring they’re complying with HIPAA because they don’t understand what the requirements call for.”
The OCR is trying to raise awareness about tracking technologies, but “I don’t think they have the resources in terms of ramping up enforcement. Once OCR settles a couple of cases regarding the use of tracking technologies, a loud and clear message will be sent to the healthcare sector,” says Hodes.
Given the recent attention to this issue by the OCR, research, and media outlets, the hope is health system entities will move rapidly to fix the problem and protect their patients' privacy, says Friedman.
Addressing Tracking through Audits
Friedman and his colleagues recommended that policymakers address tracking on health-related web pages, “specifically in proposed privacy legislation that builds on the framework of the American Data Protection and Privacy Act, ideally by prohibiting the practice.”
Hospitals can limit or eliminate third-party tracking through audits. Those that choose to allow tracking should disclose the practice to visitors, allowing them a chance to opt out through simple procedures, wrote the authors of the Health Affairs study.
Having a privacy expert on staff is critical, says Zweifel-Keegan. These experts should be in communication with the marketing teams and website managers to ensure that everyone is well-versed in privacy laws and regulations.
Friedman says some hospitals have already expressed an interest in making these changes. The informatics community has offered support to hospitals looking for technical help on this issue, he says.
Hodes knows of a chief compliance officer on the West Coast who's paying attention to the issue. Reading up on the OCR guidance, he paid a visit to the hospital’s marketing department. “If you are utilizing any tracking technology, cease and desist,” Hodes says the compliance officer told staff members. “We don’t want OCR issuing an investigation based on patient complaints.”
At one East Coast hospital, the marketing department flagged the lack of guidance from its compliance department about third-party tracking, Hodes says.
Ultimately, the auditing of third-party tracking technology is going to be patient-driven, says Hodes. “More patients have to be aware of how their data is being utilized and start complaining to OCR.”
People who visit their doctor should feel comfortable talking about awkward or sensitive parts of their health. Professional norms and the law combine to keep that information safe with their doctor and care team. “You should have that same feeling of comfort and privacy when you visit your hospital's website to schedule an appointment or look up information on your health,” says Friedman.
Jennifer Lubell is a freelance healthcare and medical writer based in the Washington, DC, area.
Take the CE Quiz