Research shows that sharing user data from hospital websites with third parties is common
A new statistical analysis of 90 individual hospital websites, drawn from a nationally representative sample of 100 community hospitals, finds that those providers – when they had a privacy policy available for use – were inadequate in how they accurately disclosed the use of third-party tracking technologies. to consumers.
In addition to comparing details about third-party recipients of collected user data, user rights and potential uses, the study also looked at the readability of the available policies.
Of the community hospitals in the study that disclosed in their user privacy policies that they would disclose data to third parties, about three-quarters noted that user information would be used for advertising and marketing purposes, while half disclosed the names of the third-party companies.
WHY IT MATTERS
These statistics show how common the use of online tracking tools is for hospitals and healthcare systems, even as they face scrutiny — and sometimes lawsuits — from patient privacy advocates.
In determining the availability of a website privacy policy in a sample of non-federal acute care hospitals, the researchers also analyzed the language of Internet users’ privacy policies regarding the collection and use of user information, according to User Information Sharing and Hospital Website Privacy Policies published by JAMA Network last week.
Specifically, they looked at how community hospitals explain how website visitor data (IP address, pages visited on the site, contact information, and demographic information the site might collect) is shared with third parties, including Google and Meta.
In the cross-sectional analysis of a nationally representative sample of 100 non-federal acute care hospitals, 96% of hospital websites had at least one third-party data request, while only 71% had a publicly accessible privacy policy.
Most transferred data to third parties to an average of nine third-party domains, and had an average of nine third-party cookies – “small pieces of code stored in a user’s browser that can serve as persistent identifiers, allowing third parties to track users across multiple locations,” the researchers noted.
“A substantial number of hospital websites did not provide users with adequate information about the privacy implications of website use because they did not have privacy policies or had privacy policies that contained limited content about third-party recipients of user information,” they said. in the report.
The researchers also reported that 56.3% of available policies (40) disclosed the specific third-party companies that received user information, with Google being the most commonly cited pixel tracker.
The most common categories of disclosed third party recipients were:
- Service providers – 50 policies or 70.4%
- Marketers and advertisers – 27 policies or 38.0%
- Next Business Owners – 27 policies or 38.0%
The researchers noted that they did not include a separate Notice of Privacy Practice Documents in their study, which took place from November 2023 to January 2024. The NPPs describe how a HIPAA covered entity will handle protected health information collected during clinical encounters and billing.
THE BIG TREND
With the HHS Office for Civil Rights, which investigates violations of protected health information collected during clinical encounters and claims processing, with the goal of placing guardrails around the use of online tracking tools by HIPAA covered entities, providers who infringe on the privacy of website users find themselves in hot water even if PHI is not transferred to a third party without the patient’s consent.
Last year, OCR and the Federal Trade Commission, which investigates data breaches, sent a joint letter to 130 hospitals and health care systems warning them of privacy and security risks associated with third-party tracking tools that can share sensitive medical data with advertising partners.
The American Hospital Association has been critical of OCR’s efforts to restrict and potentially punish online tracking tools for website user data, filing a lawsuit last year.
While plaintiffs in several lawsuits against hospitals and health care systems over their use of pixel trackers argue that the providers are allowing non-HIPAA entities to eavesdrop on sensitive health communications, AHA claims that even with last month’s policy revision to OCR’s online tracking tools , the “regulatory overreach” when it comes to website user data.
“Disclosures of PHI to tracking technology providers for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures,” OCR clarified in the revised guidance.
ON THE RECORD
“These findings suggest that hospitals may not provide patients and other website users with sufficient information about the privacy implications of website use,” the researcher said. JAMA Network researchers said.
“Although hospitals are generally not required by federal law to have a website privacy policy disclosing their practices for collecting and transferring data from website visitors, hospitals that do post a website privacy policy may be subject to enforcement by regulatory agencies such as the Federal Trade Commission. “
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.