NewYork-Presbyterian pays $300K to settle NY pixel tracking case

The New York State Attorney General announced an important new fact on Wednesday settlement around one healthcare system's use of privacy-invading online pixel technology.

WHY IT MATTERS
NewYork-Presbyterian Hospital will pay $300,000 for using third-party tools that expose the protected health information of people who visited its website, New York AG Letitia James said Dec. 27.

Her office found that the health care system — NYP operates 10 hospitals in New York City and the surrounding metro area, with more than two million patient visits per year — used ad technology on its homepage that “collected and shared private and personal information” with third countries. party companies, in violation of HIPAA.

Between June 2016 and June 2022, the AG's office alleged that NYP used third-party tools to track visitors to its website for marketing purposes as they researched information about various symptoms and conditions, searched for doctors, booked appointments, and more.

Such tools use pieces of code called tracking pixels, which send data back to third-party developers when web pages load or users click links, submit forms, or search for specific terms.

That could pass information about users' health to these third-party companies, who would also have access to their IP address and the URL of the web page or link that was clicked.

“Several third parties received unique identifiers stored on users' devices, which allowed third parties to recognize users with whom they had previously interacted,” AG James' office alleges. “One of the third parties may also have received first and last name, email address, postal address and gender information.”

NYP lacked proper internal policies and procedures for vetting their third-party tracking tools, the office alleges, and did not “review or monitor third-party tracking tools for violations of policy or law prior to their deployment.”

In addition to the monetary penalty, as a result of the new settlement, NYP has agreed to a series of corrective actions, James' office said. Among them: updating their policies and procedures around third-party online tools, and conducting regular audits and testing before deploying such tools to NYP websites or apps.

In addition, NYP will now regularly review the contracts, privacy policies, and terms of use associated with third-party tools and “direct third parties to delete any protected health information received.”

THE BIG TREND
The attorney general's office has alerted other healthcare providers to guidance on HIPAA and tracking technologies: the policy bulletin published by the HHS Office for Civil Rights more than a year ago, in December 2022.

That was, of course, in response to initial news of potential privacy concerns related to the use of pixel tracking tools in US healthcare systems, starting with a data breach report by attorney Aurora Health in October 2022.

It didn't take long for senators to question leaders of Meta and other companies about their data collection policies, as the scope of the use of these new tracking technologies became clear to healthcare consumers and regulators.

Soon, other hospitals and major healthcare systems announced their own pixel-related breaches — and other federal agencies sent out alerts about how the tools are being used.

More recently, however, hospitals have pushed back against HHS and its privacy rules, claiming that enforcing OCR's regulations on pixel tracking tools would upset the “balance that HIPAA and its regulations strike between privacy and information sharing.”

In the meantime, there are still ways that pixel tracking can be used, safely and in a way that protects privacy.

ON THE RECORD
“New Yorkers looking for a doctor or medical care should be able to do so without putting their private information at risk,” Attorney General James said Wednesday in announcing the NYP settlement. “Hospitals and medical facilities must maintain a high standard for protecting their patients' personal information and health data.

“NewYork-Presbyterian failed to carefully manage its patients' health information, and as a result, technology companies gained access to people's data,” she added. “Today's agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients' information.”

Mike Miliard is editor-in-chief of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.