Sharing hospital website user data with 3rd parties is common, study shows
A new statistical analysis of 90 distinct hospital websites, drawn from a nationally representative sample of 100 community hospitals, finds that those providers – when they had privacy policies available for consumption – were inadequate in how they accurately disclosed the use of third-party tracking technologies to consumers.
In addition to comparing details about third-party recipients of collected user data, user rights and potential uses, the study also looked at the readability of the policies available.
Of the community hospitals in the study that do reveal in their user privacy policies that they transfer data to third parties, about three-quarters noted user information would be used for advertising and marketing purposes while half disclosed the names of the third-party companies.
WHY IT MATTERS
Those statistics show just how common the use of online tracking tools is for hospitals and health systems, even as they face scrutiny – and sometimes lawsuits – from patient privacy advocates.
In determining the availability of a website privacy policy in a sample of nonfederal acute care hospitals, the researchers also analyzed web user privacy policy language addressing user information collection and usage, according to User Information Sharing and Hospital Website Privacy Policies published by JAMA Network last week.
They were looking specifically at how community hospitals explain how website visitor data – IP address, pages visited within the site, contact information and demographic information that the site might collect – is shared with third parties, including Google and Meta.
In the cross-sectional analysis of a nationally representative sample of 100 nonfederal acute care hospitals, 96% of the hospital websites had at least one third-party data request, while only 71% had a publicly accessible privacy policy.
Most were transferring data to third parties to a median of nine third-party domains, had a median of nine third-party cookies – “small pieces of code stored on a user’s browser that can serve as persistent identifiers, enabling third parties to track users across multiple sites,” the researchers noted.
“A substantial number of hospital websites did not present users with adequate information about the privacy implications of website use, either because they lacked a privacy policy or had a privacy policy that contained limited content about third-party recipients of user information,” they said in the report.
The researchers also reported that 56.3% of the available policies – 40 – disclosed the specific third-party companies receiving user information, with Google being the most commonly named pixel tracker.
The most common categories of disclosed third-party recipients were:
- Service providers – 50 policies or 70.4%
- Marketers and advertisers – 27 policies or 38.0%
- Subsequent firm owners – 27 policies or 38.0%
The researchers noted that they did not include separate notice of privacy practice documents in their study, which took place from November 2023 to January 2024. The NPPs describe how a HIPAA-covered entity will handle protected health information collected during clinical encounters and billing.
THE LARGER TREND
With the HHS Office for Civil Rights, which investigates breaches of protected health information collected during clinical encounters and claims processing, aiming to put guardrails around HIPAA-covered entities’ use of online tracking tools, providers that encroach on website user privacy could find themselves in hot water, even when PHI is not transferred to a third party without patient consent.
Last year, OCR and the Federal Trade Commission, which investigates data breaches, sent a joint letter to 130 hospitals and health systems warning them of privacy and security risks related to third-party tracking tools that can share sensitive medical data with advertising partners.
The American Hospital Association has been critical of OCR’s attempts to limit online tracking tools for website user data and potentially penalize them, filing a lawsuit last year.
While plaintiffs in several litigations against hospitals and health systems for their use of pixel trackers argue that the providers are allowing non-HIPAA-covered entities to eavesdrop on sensitive health communications, AHA maintains that even with OCR’s online tracking tools policy revision last month, it’s “regulatory overreach” when it comes to website user data.
“Disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures,” OCR clarified in the revised guidance.
ON THE RECORD
“These findings suggest that hospitals may not be presenting patients and other website users with adequate information about the privacy implications of website use,” the JAMA Network researchers said.
“Although hospitals are generally not required under federal law to have a website privacy policy that discloses their methods of collecting and transferring data from website visitors, hospitals that do publish website privacy policies may be subject to enforcement by regulatory authorities like the Federal Trade Commission.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.