A new statistical analysis of 90 different hospital websites, drawn from a nationally representative sample of 100 community hospitals, shows which providers – when they have a privacy policy in place to use – did not accurately disclose its use of third-party tracking technology. to consumers.
In addition to comparing details about the third parties receiving collected user data, user rights, and potential uses, the study also looked at the readability of existing policies.
Among community hospitals in the study that disclosed user privacy policies that they transfer data to third parties, about three-quarters of recorded user information would be used for advertising purposes. advertising and marketing while half disclosed the names of third-party companies.
WHY IS IT IMPORTANT?
Those statistics show how widespread the use of online tracking tools is for hospitals and health systems, even as they face scrutiny – and sometimes lawsuits – from patient privacy advocates.
To determine the usability of website privacy policies in a sample of non-federal acute care hospitals, researchers also analyzed web users’ privacy policy language to address collection and use of user information, in accordance with the Hospital’s User Information Sharing Policy and Website Privacy Policy published by JAMA Network last week.
They are looking specifically at how community hospitals interpret website visitor data – IP addresses, pages visited within the website, contact information and demographic information that the website collectible – shared with third parties, including Google and Meta.
In a cross-sectional analysis of a nationally representative sample of 100 non-federal acute care hospitals, 96% of hospital websites had at least one third-party data request, while only 71% have a publicly accessible privacy policy.
Most pass data to third parties to an average of nine third-party domains, which have an average of nine third-party cookies – “small pieces of code stored on a user’s browser that can act as game is a persistent identifier that allows third parties to track users.” across multiple websites,” the researchers noted.
They said: “A significant number of hospital websites did not provide users with adequate information about the privacy implications of using the website, either because they lacked a privacy policy or had one. privacy policy contains restrictions on third-party recipients of user information.” in the report.
The researchers also reported that 56.3% of existing policies – 40 – disclosed the specific third-party companies receiving user information, with Google being the most commonly named pixel tracker .
The most commonly disclosed types of third-party recipients are:
- Carrier – 50 policies or 70.4%
- Marketers and advertisers – 27 policies or 38.0%
- Next company owner – 27 contracts or 38.0%
The researchers note that they did not include separate notice of privacy practices documents in their study, which took place from November 2023 to January 2024. NPP describes how an organization is HIPAA Payment will process protected health information collected during clinical visits and billing.
BIGGER TREND
With the HHS Office for Civil Rights, which investigates violations of protected health information collected during clinical examinations and claims processing, for the purpose of placing safeguards around around the use of online tracking tools by HIPAA-protected entities, vendors that violate the privacy of website users may find themselves in danger. hot water, even if the PHI is not transferred to a third party without the patient’s consent.
Last year, OCR and the Federal Trade Commission, which investigates data breaches, sent a joint letter to 130 hospitals and health systems warning them about the privacy and security risks involved. to third-party tracking tools that may share sensitive medical data with advertising partners.
The American Hospital Association has criticized OCR’s efforts to limit online tracking tools for website user data and potentially fine them, filing a lawsuit last year.
While plaintiffs in several lawsuits against hospitals and health systems over the use of pixel trackers argue that vendors are allowing entities not covered by HIPAA to eavesdrop on communications, sensitive health communications, the AHA maintains that even with OCR’s online tracker policy revision last month, it is a “regulatory violation” when it comes to site user data. web.
“Disclosure of PHI to tracking technology vendors for marketing purposes without the individual’s HIPAA-compliant authorization constitutes an impermissible disclosure,” OCR states in the revised guidance. ”.
ON PROFILE
“These findings suggest that hospitals may not be providing patients and other website users with adequate information about the privacy implications of website use,” the study said. JAMA Network said the researchers.
“While federal law does not generally require hospitals to have a website privacy policy disclosing their methods of collecting and transmitting data from website visitors, hospitals do publish a website privacy policy may be subject to enforcement by regulatory agencies such as the Federal Trade Commission.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
