96% of Hospitals Still Use Website Tracking Technologies That Share Data with Third Parties
An analysis of the websites of non-federal acute care U.S. hospitals has confirmed that 96% of those websites use tracking technologies that share visitor data with third parties such as Meta, Google, LinkedIn, or Snapchat.
In December 2022, The Department of Health and Human Services issued guidance for HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that under HIPAA, these technologies cannot be used if they share protected health information with third parties unless the third parties in question are authorized to receive the data – and a HIPAA-compliant business associate agreement is in place – or if consent to share the data is obtained from patients. In July 2023, OCR and the Federal Trade Commission (FTC) issued around 130 warning letters to hospitals and telehealth companies to remind them of their obligations under HIPAA with respect to website tracking technologies.
OCR issued updated guidance in March 2024 clarifying its position, confirming that OCR accepts that not all information collected through these tools is classed as protected health information, stressing that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Prior to OCR issuing guidance, a study conducted by researchers at the University of Pennsylvania in Philadelphia determined that 99% of hospitals in the United States were using tracking technologies on their websites that transferred data to third parties. A follow-up study – published in the JAMA Network – was conducted on 100 hospitals between November 2023 and January 2024 that looked at whether hospitals were transferring visitor data to third parties via these tracking technologies and if they had easy-to-find privacy policies that advised visitors about the use of these tools, how and why data was collected, and the third parties that received that data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Out of 100 hospital websites, 96 transferred user information to third parties. 71 websites had privacy policies, 69 stated the types of information that was automatically collected, 70 indicated how that data would be used, 66 stated the categories of third parties that would receive the collected information, but only 40 named the specific third parties that would receive the data. While some privacy policies state well-known names of companies that receive the data, Google for instance, the researchers note that hospital websites transfer data to a median of 9 domains, with previous research indicating many unfamiliar companies receive data from hospital websites, including data brokers and companies with little to no consumer-facing presences. The researchers point out that a substantial number of hospital websites are not providing users with adequate information about how their data will be collected and used, either by not including a privacy policy or not disclosing sufficient information to website visitors about how their data will be used.