- Almost 99% of hospital websites include tracking software that transfer data to third parties, including technology and social media companies, data brokers, advertisers and even private equity firms, according to a new study.
- The study, published in Health Affairs, analyzed data from 2021 and found almost every U.S. hospital used data tools to track and share visitors’ personal information, including from visits to pages on conditions like depression, HIV, Alzheimer’s disease and breast cancer.
- Nonprofit hospitals affiliated with medical schools and hospitals in urban areas had higher levels of third-party trafficking than other facilities.
The new study, conducted by researchers at the University of Pennsylvania, reveals the distance between expectations of healthcare privacy and reality in the U.S., where existing privacy law doesn’t cover many healthcare actions taken online.
Researchers found that hospitals’ widespread use of third-party tracking code allows companies not subject to the HIPAA privacy protections to observe people’s browsing behavior across hospital websites.
As a result, by including third-party tracking code on their websites, hospitals are facilitating patient profiling, which can result in parties gaining access to sensitive health information that patients might not want shared.
The practices could also lead to targeted advertising based on health, in addition to legal liability for hospitals, researchers said.
Hospitals commonly shared visitor information with advertising giants like Alphabet and Meta, along with a variety of other companies including Golden Gate Capital, a PE firm based in San Francisco, and media company Nielsen, according to the study.
Tech giants Alphabet and Meta are the most frequent companies with which hospitals share user data
To conduct the study, researchers used an open source tool called WebXray that records third-party tracking, and recorded data requests on hospital websites that initiated data transfers to third-party domains over a three day period in August 2021. Researchers also recorded the presence of cookies, or data stored on a user’s browser that allow them to be identified and tracked across multiple websites.
Of the almost 3,750 hospital home pages studied, 98.6% had at least one third-party data transfer, while 94.3% had at least one third-party cookie. Overall, hospital website home pages had a median of 16 third-party transfers, the study found.
Researchers called the tracking “ubiquitous and extensive” in concluding that “nearly all hospitals allow third parties to capture data about how patients and other users navigate their websites.”
“Hospitals have a responsibility to protect patients from unnecessary risks, including risks to their privacy,” researchers wrote.
HIPAA regulates the privacy and security of health information held by covered entities, including hospitals, that electronically transmit health information for purposes like billing or administration. The law’s protections are strict but relatively limited in an era of interconnected health information.
In December, the HHS issued guidance saying that HIPAA rules apply even to hospitals’ web pages, including public-facing home pages. The guidance implies HIPAA would apply to third-party data transfers on hospital websites.
The Federal Trade Commission has been increasingly cracking down to protect consumers’ sensitive medical information online, including through recent enforcement against companies like GoodRx and BetterHelp. Regulators haven’t taken recent action against hospitals, though facilities have faced lawsuits over alleged privacy violations.
In 2021, Mass General Brigham and the Dana-Farber Cancer Institute agreed to pay $18 million to settle allegations their networks didn’t obtain consent for their websites’ use of third-party tracking tools.