HIPAA hypocrisy? 99% of hospital websites send patient data to third parties

Image: Spotmatik Ltd/Shutterstock

The HIPAA Act was designed to safeguard consumers’ medical privacy. But what if medical information is shared with third-party trackers, as frequently happens?

Nearly every U.S. hospital shared data with third-party trackers in 2021, according to a study published in Health Affairs.

“We’re not saying that every single one of these things is a HIPAA violation,” said Dr. Matthew McCoy, co-author of the study and assistant professor of medical ethics at the University of Pennsylvania. “But there’s just thousands and thousands and thousands of them. And it’s reasonable to believe that at least some significant portion of these are including protected health information.”

Of more than 3,700 hospital homepages identified by researchers, 98.6% had at least one third-party data transfer and 94.3% had at least one cookie in August 2021. An investigation last June found that 33 hospital websites were sharing health information with Facebook from a tracker known as the Meta pixel, which has led to class-action lawsuits. In December, the federal government issued new guidance around trackers and what web activity might be subject to HIPAA, even if the person browsing the website isn’t an existing patient.

Related: Mental health startup Cerebral admits sharing health data with Facebook, Google, TikTok

Third-party tracking codes most often are used by technology vendors that might offer website analytics, social media widgets or information about how online advertisements perform in exchange for access to that data. A cookie helps identify someone across days and weeks of online browsing activity, which is how certain ads seem to follow them across the internet.

In December, the federal agency responsible for enforcing HIPAA – the Office for Civil Rights within the Department of Health and Human Services – issued new guidance specific to online trackers. It suggested that if these trackers are present on or follow someone to other parts of the website, such as booking an appointment or looking up information about a specific disease, that activity potentially could fall under HIPAA.

Some hospitals previously may have believed that their obligations regarding protected health information started when someone registered as a patient, said Adam Greene, a partner at Davis Wright Tremaine, who formerly worked in the Office for Civil Rights. “What this guidance says is, ‘No, you have to go beyond that and look at exactly what information you’re collecting from the website,” he said.

Greene said it’s important for hospitals to evaluate their websites and determine what information is being shared with third-party tracking vendors. “Certainly the risk goes up of an enforcement action once they’ve done this shot across the bow,” he said.