Data tracking may be a HIPAA loophole
The vast majority of hospital websites are using third party data tracking that collect and send information on user activity to a variety of other companies, according to new research published in Health Affairs. The 98.6 percent of hospital websites using this technology could be exposing their organizations to legal consequences, since the code could potentially give external companies access to sensitive health information about patients.
The research found that hospital websites were actively transferring information to large technology companies, social media platforms, advertisers and data brokers, none of whom are typical business associates under HIPAA.
“These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share,” the article states. “These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”
For some health systems, the threat of legal liability is already becoming a reality. Users have started to file lawsuits against dozens of health systems for using data tracking codes that share data without explicit consent.
In February, an anonymous individual headed a class action lawsuit against Cedars-Sinai Health System and Cedars-Sinai Medical Center in Los Angeles, alleging that “Cedars-Sinai transmitted to third parties portions of the patients’ private communications with it through pieces of data tracking code that it embedded in its website, for the sole purpose of sharing such information with marketing entities,” according to the filing. “This code served as real time wiretaps on patients’ communications.”
The suit accuses Meta, the parent company of Facebook and Instagram, as well as Google and Microsoft Bing, as being potential beneficiaries of the data.
Meanwhile, a separate class action suit has been filed directly against Meta and Advocate Aurora Health in Illinois, alleging that the companies violated several laws prohibiting the sharing of confidential health information without consent. The suit claims that Advocate Aurora Health uses Meta Pixel technology, one of the most popular data tracking tools, on its MyChart patient portal (branded as “LiveWell” for patients) that allows Meta to access personal health information (PHI) and other personally identifiable information (PII) sent through the portal.
Meta is implicated in many of these complaints, due to the ubiquity of the Meta Pixel technology. In 2022, journalists at The Markup found Meta Pixel was embedded in one-third of the websites belonging to Newsweek’s Top 100 Hospitals, allowing Meta to access a packet of information on a user every time they made an appointment request.
The data tracking tool allows Meta – and other companies with similar code – to target advertising to people based on their health inquiries or clinical data.
The Federal Trade Commission (FTC) appears to agree that hospital and healthcare systems’ use of data tracking technology is a growing problem area with that needs greater attention. The agency called out health privacy issues and deceptive practices by technology platforms as areas of concern in its 2024 budget request for $590 million in federal funding, which should put unscrupulous actors on high alert.
Hospitals and health systems should consider reviewing their embedded third-party data tracking code and developing a clear understanding of how such code collects and sends data to external entities. Leaders should consult with privacy experts and legal authorities on the state and federal laws governing third-party data transfers and adjust their activities accordingly to remain in compliance and avoid legal action from users.
Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry. Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system. She can be reached at email@example.com.