99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties
New research indicates virtually all U.S. hospitals have been using tracking software on their websites that captures visitor data, including health information, and transfers that information to third parties. The study – published this month in Health Affairs – was conducted by researchers at the University of Pennsylvania. They used the 2019 American Hospital Association (AHA) Annual Survey to identify hospitals and narrowed their study to nonfederal acute care hospitals with an emergency department, which were not ambulatory surgery centers or freestanding long-term care facilities – The websites of 3,747 U.S. hospitals were assessed in the study.
The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. The researchers also recorded cookies and data stored on browsers that would allow visitors to the websites to be tracked across the Internet. They found that 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% had at least one third-party cookie. Over the three-day study period, the home pages of the websites initiated a median of 16 data transfers.
The tracking code, sometimes referred to as pixels, is provided by third parties for use on websites for tracking visitors and the code is incredibly common across the Internet. The code is used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left. The data collected through the code can be used by website operators to improve their websites and services, but the data collected is also transferred to the third parties that provide the code.
While these technologies can be found on virtually all websites, the Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information, including visits to web pages about specific medical conditions such as HIV, cancer, and Alzheimer’s disease, and information entered into web forms.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The third parties receiving the information are typically not HIPAA-regulated entities, which means uses and disclosures of the transferred data are largely unregulated. The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications. What actually happens to the transferred data is unclear.
The HHS’ Office for Civil Rights (OCR) recently issued guidance for HIPAA-regulated entities on the use of tracking technologies on websites and apps and confirmed that the use of these technologies is not permitted by the HIPAA Privacy Rule unless the third parties receiving protected health information are legitimate business associates and a business associate agreement has been signed. Alternatively, authorizations are required before protected health information is transferred.
According to the study, hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving urban patient populations had more third-party data transfers than other hospitals, which it was hypothesized could be due to the websites providing a more extensive range of services, the inclusion of third-party apps on the website – Google Maps for example – or them having a higher level of website advertising.
The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.
“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote the researchers. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”
In 2021, three Boston hospitals – Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana Farber Cancer Institute – agreed to pay more than $18 million to settle allegations they had shared website user data with third parties without consent, and many more lawsuits against healthcare providers are pending.
Given the recent guidance from OCR and the extent to which tracking code has been used, all hospitals should review their websites for tracking code and ensure that business associate agreements are in place, patient authorizations are obtained, or that the code is removed from the websites or is made HIPAA-compliant. If tracking code is found and protected health information has been impermissibly disclosed it is a reportable data breach and the HHS must be informed and notifications sent to affected patients.
