- The American Hospital Association urged lawmakers last week to back hospitals’ use of online tracking technologies, arguing that recent guidance from the HHS’ Office for Civil Rights is “flawed” and should be withdrawn immediately.
- In a request for information letter sent to the the Senate Committee on Health, Education, Labor and Pensions, the hospital lobby said that guidance released late last year on how HIPAA covered entities should use online trackers limits hospitals and health systems from sharing reliable healthcare information and inflicts “meaningful harm” on patients.
- Regulators have been cracking down on healthcare providers’ use of tracking technologies, which gather information about how users interact with websites and apps. They argue the tools send visitors’ personal health information to technology vendors.
Third-party tracking technologies are extremely common on hospital websites, according to a study published this spring in Health Affairs. The research found almost 99% of U.S. hospitals used tools to track users’ personal information, including visits to web pages on conditions like depression, HIV, Alzheimer’s disease and breast cancer.
The tracking tools are also frequently used on direct-to-consumer telehealth websites, according to a recent investigation by Stat and the Markup. The report found 49 out of 50 websites studied shared URLs consumers visited with technology companies, while 35 sent personal information like name and email address and 13 collected data on consumers’ answers to questionnaires.
Regulators have been warning healthcare providers about using these trackers, saying they risk disclosing users' health data to third parties like social media sites or other technology companies.
The OCR released guidance in December on how entities covered by HIPAA should use trackers. The notice argued all identifiable health information collected on provider websites or apps is generally protected health information, even if the patient doesn’t have a relationship with the provider or if the data doesn’t include specific treatment or billing information.
The OCR and the Federal Trade Commission continued to push back against tracking technology this summer, sending a letter to about 130 hospitals and telehealth providers with a warning that they should “exercise extreme caution” when using trackers.
But the hospital lobby argues the guidance is bad policy. AHA Executive Vice President Stacey Hughes wrote in the letter that analytics and location tools provide critical data about community medical questions, where patients have trouble navigating their websites and where users can access nearby healthcare services.
“Community members and public health are ultimately suffering the consequences of not having the most reliable health information available to them because hospitals and health systems cannot risk the serious consequences that flow from OCR’s unlawful rule, including HIPAA enforcement actions, class action lawsuits or the loss of significant investments in existing websites,” she wrote.
The letter also urged lawmakers to enact a full preemption provision for HIPAA, noting that federal law doesn’t override state law when it’s more strict than HIPAA requirements. The lobby argued hospitals face “unnecessary regulatory burden” when trying to follow a patchwork of state and federal laws and prevents information sharing.