The homepages of nearly all U.S. hospital websites shared data with third-party trackers in 2021, according to research published Monday in Health Affairs. The study did not analyze what specific data was transferred, but the researchers say the sheer volume of trackers suggests it’s likely some of these transfers could run afoul of the federal patient privacy law known as HIPAA.
“We’re not saying that every single one of these things is a HIPAA violation,” says study co-author Matthew McCoy, an assistant professor of medical ethics at the University of Pennsylvania. “But there’s just thousands and thousands and thousands of them. And it’s reasonable to believe that at least some significant portion of these are including [protected health information].”
The privacy risk stems from what might be tracked by these technology vendors as someone moves across the website. For example, if the person searches for a certain medical procedure or disease and that is connected to identifiable information, such as their home address, email or IP address. The researchers analyzed a subset of hospital web pages devoted to certain conditions, including Alzheimer’s, breast cancer and HIV, and found a “high correlation” between trackers on the homepage and trackers on those sub pages. “We infer then, with a high degree of confidence, that this tracking probably is spread across the hospital website and not just limited to the homepages,” says McCoy.
This intersection of tracking technology and healthcare data has recently come under increased federal and legal scrutiny. An investigation from The Markup and STAT last June found 33 hospital websites were sharing health information with Facebook from a tracker known as the Meta pixel, which has led to class action lawsuits. And, in December, the federal government issued new guidance around trackers and what web activity might be subject to HIPAA – even if the person browsing the website isn’t an existing patient.
There are more than 6,100 hospitals in the U.S. and the researchers were able to identify 3,747 homepages (the numeric discrepancy is some hospitals that are part of a larger health system that may use the same homepage, says McCoy). They found that 98.6% of hospital homepages had at least one third-party data transfer and 94.3% of them had at least one cookie in August 2021. Since the data was collected a year and a half ago, it is possible that some hospitals have subsequently changed their policies around trackers.
This third-party tracking code is most often used by technology vendors who might offer website analytics, social media widgets or information about how online advertisements perform in exchange for access to that data. A cookie helps identify someone across days and weeks of online browsing activity, which is how certain ads seem to “follow” you across the internet.
Hospitals were more likely to have tracking technology on their websites if they were part of a larger health system, had a medical school or were located in urban areas, the researchers found. The most common tracker was Alphabet (the parent company of Google), which appeared on 98.5% of hospital homepages, followed by Meta (the parent company of Facebook) on 55.6% and Adobe Systems on 31.4%. There were other recognizable names, such as Oracle, Amazon, Microsoft, Salesforce and the data broker Acxiom. Hospital homepages had a median of 16 third-party transfers.
In December, the federal agency responsible for enforcing HIPAA – the Office for Civil Rights within the Department of Health and Human Services – issued new guidance specific to online trackers. It suggested that if these trackers are present on – or follow someone to – other parts of the website, such as booking an appointment or looking up information about a specific disease, that activity could potentially fall under HIPAA.
Some hospitals may have previously believed their obligations around protected health information started when someone registered as a patient, says Adam Greene, a partner at Davis Wright Tremaine, who formerly worked in the Office for Civil Rights. “What this guidance says is, ‘No, you have to go beyond that and look at exactly what information you’re collecting from the website.”
This includes activity on both authenticated pages, such as a patient portal where someone logs in, as well as certain public-facing pages that don’t require sign-in or an existing patient relationship. That’s because certain actions people take on a hospital website could relate to “past, present or future” healthcare. The guidance provides the example of a person who searches for “pregnancy or miscarriage” on a public hospital page where a tracker collects their email address or IP address – in this particular instance, the government says HIPAA rules would apply.
HIPAA violations are enforced by the Office for Civil Rights, which can impose penalties and seek financial settlements, or state attorneys general, who can bring lawsuits on behalf of the citizens of their state, says Greene. An individual can’t bring a claim under HIPAA, but could sue for a related claim, like breach of contract. He says there haven’t been any enforcement actions yet related to the tracking guidance — that doesn’t mean there aren’t investigations underway, but it could take years. Greene says it’s important for hospitals to take stock of their websites and what information is being shared with third-party tracking vendors. “Certainly the risk goes up of an enforcement action, once they’ve done this shot across the bow,” says Greene.
Separately, the Federal Trade Commission recently reached a $1.8 million settlement with pharmacy discount coupon company GoodRx and a $7.8 million settlement with mental telehealth service BetterHelp over issues related to targeting advertising practices and customer health data (neither company admitted wrongdoing). The FTC can’t directly enforce HIPAA but can bring related actions against companies that fall under its mandate to combat “unfair and deceptive trade practices.”
While the new guidance is “a big deal,” says Andrew Crawford, senior counsel focused on data and privacy at the Center for Democracy and Technology, it only applies to the specific organizations that must abide by HIPAA – doctors, hospitals, insurers and the other businesses they contract with in the process of treating patients, billing for services and other operations functions. “That universe, while big, does not encapsulate a whole host of other tech, that’s going to also generate health information about users,” says Crawford, such as consumer-facing websites, apps and wearable devices that also collect and use health-related data. That’s why his organization supports more comprehensive federal privacy regulation to protect consumers. “Unfortunately, right now, the burden falls to each consumer to do their homework, and to try to figure out where data about their health is not only being generated, where it’s being stored, and who it might be being shared with,” says Crawford.
This story has been updated since publication to add additional details about HHS guidance on online trackers.