A new statistical analysis of 90 distinct hospital websites, drawn from a nationally representative sample of 100 community hospitals, finds that those providers – when they had privacy policies available for consumption – were inadequate in how they accurately disclosed the use of third-party tracking technologies to consumers.

In addition to comparing details about third-party recipients of collected user data, user rights and potential uses, the study also looked at the readability of the policies available. 

Of the community hospitals in the study that reveal in their user-privacy policies that they transfer data to third parties, about three-quarters of them noted user information would be used for advertising and marketing purposes, while half disclosed the names of the third-party companies.

WHY IT MATTERS

Those statistics show just how common the use of online tracking tools is for hospitals and health systems, even as they face scrutiny – and sometimes lawsuits – from patient privacy advocates.

In determining the availability of a website privacy policy in a sample of nonfederal acute care hospitals, the researchers also analyzed web user privacy policy language addressing information collection and usage, according to User Information Sharing and Hospital Website Privacy Policies published by JAMA Network last week.

They were looking specifically at how community hospitals explain how website visitor data – IP address, pages visited within the site, contact information and demographic information that the site might collect – is shared with third parties, including Google and Meta.

In the cross-sectional analysis of a nationally representative sample of 100 nonfederal acute care hospitals, 96% of the hospital websites had at least one third-party data request, while only 71% had a publicly accessible privacy policy.

Most were transferring data to third parties to a median of nine third-party domains and had a median of nine third-party cookies – "small pieces of code stored on a user’s browser that can serve as persistent identifiers, enabling third parties to track users across multiple sites," the researchers noted. 

"A substantial number of hospital websites did not present users with adequate information about the privacy implications of website use, either because they lacked a privacy policy or had a privacy policy that contained limited content about third-party recipients of user information," they said in the report.

The researchers also reported that 56.3% of the available policies – 40 – disclosed the specific third-party companies receiving user information, with Google being the most commonly named pixel tracker.

The most common categories of disclosed third-party recipients were:

• Service providers – 50 policies, or 70.4%.
• Marketers and advertisers – 27 policies, or 38.0%.
• Subsequent firm owners – 27 policies, or 38.0%.

The researchers noted that they did not include separate notice of privacy practice documents in their study, which took place from November 2023 to January 2024. The NPPs describe how a HIPAA-covered entity will handle protected health information collected during clinical encounters and billing.

THE LARGER TREND

With the HHS Office for Civil Rights, which investigates breaches of protected health information collected during clinical encounters and claims processing, aiming to put guardrails around HIPAA-covered entities' use of online tracking tools, providers that encroach on website user privacy could find themselves in hot water, even when PHI is not transferred to a third party without patient consent. 

Last year, OCR and the Federal Trade Commission, which investigates data breaches, sent a joint letter to 130 hospitals and health systems warning them of privacy and security risks related to third-party tracking tools that can share sensitive medical data with advertising partners. 

The American Hospital Association has been critical of OCR's attempts to limit online tracking tools for website user data and potentially penalize their use, and filed a lawsuit last year.

While plaintiffs in several items of litigation against hospitals and health systems for their use of pixel trackers argue that the providers are allowing non-HIPAA-covered entities to eavesdrop on sensitive health communications, AHA maintains that even with OCR's online tracking-tools policy revision last month, it is "regulatory overreach" when it comes to website user data.

"Disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures," OCR clarified in the revised guidance.

ON THE RECORD

"These findings suggest that hospitals may not be presenting patients and other website users with adequate information about the privacy implications of website use," the researchers said.

"Although hospitals are generally not required under federal law to have a website privacy policy that discloses their methods of collecting and transferring data from website visitors, hospitals that do publish website privacy policies may be subject to enforcement by regulatory authorities like the Federal Trade Commission."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.