An investigation of the websites belonging to non-government acute care U.S. hospitals has shown that 96% of the websites employ tracking codes that disclose user information to third parties like Google, Meta, Snapchat, or LinkedIn.
In December 2022, The Department of Health and Human Services released guidance for HIPAA-covered entities on using website tracking systems. The guidance clearly stated that as per HIPAA, these technologies are not to be employed if they disclose protected health information (PHI) to third parties except if the third parties involved are permitted to collect the information. Either there is a signed HIPAA-compliant business associate agreement or the patients have given authorization to disclose the information. In July 2023, the Federal Trade Commission (FTC) and OCR distributed approximately 130 warning letters to telehealth organizations and hospitals to tell them about their responsibilities under HIPAA when it comes to website tracking systems.
OCR released current guidance in March 2024 making clear its position, stating that OCR agrees that not all data gathered through these technologies is categorized as PHI, emphasizing that “covered entities are not allowed to make use of tracking systems in a way that would bring about impermissible exposure of PHI to vendors of tracking technologies or any other violations of the HIPAA Regulations.
Before OCR issued the guidance, researchers at the University of Pennsylvania in Philadelphia conducted a study last year with the findings that 99% of United States hospitals were utilizing tracking systems on their websites that transmitted personal information to third parties. This latest research that can be read on the JAMA Network is a follow-up of that study. The research garnered the participation of 100 hospitals from November 2023 to January 2024. The hospitals were investigated to know if
- they were sending visitor information to third parties through the tracking systems they installed on their websites
- if they had easy-to-access privacy policies that informed visitors regarding the use of these tracking tools, the way and the reason for collecting data
- if third parties obtained the collected user information
Based on the results of the survey, there were
- 96 out of 100 hospital websites transmitted user data to third parties
- 71 websites have privacy policies in place
- 69 websites mentioned the types of data that were automatically gathered, which include IP addresses, name and version of web browser, webpages viewed, and the website where the user came from
- 70 websites mentioned how the collected information will be used
- 66 websites explained the categorizations of third parties that will acquire the obtained data
- only 40 gave the specific names of third parties that will get the information
Although some privacy policies mention widely recognized names of organizations that get the information, Google for example, the researchers observe that hospital websites send information to an average of 9 domains. Prior research suggests that a lot of unknown organizations obtain information from hospital websites, which include data brokers and businesses with minimal consumer-facing experiences. The analysts denote that a considerable number of hospital websites do not give users sufficient details about the way their information will be obtained and processed. Either a privacy policy is not accessible or not enough details are shared with website users regarding the usage of their information.