Tracking code has been used on virtually all hospital websites, according to a new study conducted by researchers at the University of Pennsylvania. The researchers analyzed the websites of almost 3,750 hospital websites and found 98.6% of those websites had at least one transfer of visitor data to a third party via tracking code on the website and 94.3% of the websites had at least one third-party cookie.
The study was conducted over three days in 2021 using a tool called WebXray, which identifies third-party tracking code, recorded data requests, and third-party cookies. The researchers report a median of 16 data transfers per day from the websites. Tracking code, which includes Google Analytics code and Meta pixel, is added to many websites across the Internet to provide insights into user behavior while on the sites. The tracking code collects data on visitor numbers, visitor website interactions, and other valuable metrics which can be used to improve the functionality of websites and the user experience.
The problem with using the code on hospital websites is it can potentially collect protected health information. The data collected by these code snippets are usually sent to the third party that provides the code, and the transmitted information can be used for purposes not permitted by HIPAA. A website visitor could visit a web page related to a specific medical condition, and that information would be transferred to a third party and could be used to build up a profile. The user could then be served targeted ads related to that condition.
These disclosures are not permitted by the HIPAA Privacy Rule unless the third party receiving the PHI is a business associate of the hospital and has signed a business associate agreement or if prior authorization to disclose the information has been obtained from the patient. The HHS’ Office for Civil Rights (OCR) recently published guidance on the use of tracking technologies by HIPAA-regulated entities that made it clear that disclosures without patient authorizations or business associate agreements violate HIPAA. These disclosures must be reported to OCR and require individual notifications.
The study revealed many hospitals have multiple trackers on their websites, all of which transfer data to the providers of the code. The most common tracking code sent data to Alphabet, Google’s parent company, and was found on 98.5% of hospital websites. The second most common was Meta pixel, found on 55.6% of hospital websites. Meta Pixel transfers data to Meta, and that information can be passed on to advertisers to allow targeted advertisements to be displayed to individuals. Tracking code was also found from AT&T, Amazon, Microsoft, Crazy Egg, Nielsen Online, Golden Gate Capital, and many more companies.
“These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share,” wrote the researchers. “These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”
The study was conducted before OCR released guidance on the use of these trackers and it is unclear to what extent hospitals have been removing the code. OCR has made it clear the code may violate HIPAA, the Federal Trade Commission is cracking down on disclosures of health data by non-HIPAA-covered entities, and lawyers across the country are filing lawsuits over these disclosures. Hospitals should therefore conduct an audit of their websites to identify if tracking code is present and should make sure that it is not impermissibly disclosing data to third parties.