Federal privacy regulations inadequately address third-party tracking, posing risks to patients and hospitals.
Why it matters:
A study by Health Affairs reveals that 98.6% of US nonfederal acute care hospital websites use third-party tracking, which can lead to privacy breaches, targeted advertising, and potential legal liabilities for hospitals. This is especially concerning, given that federal privacy regulations do not adequately address third-party tracking.
In the know:
The Health Affairs study shows that hospital websites are sharing potentially sensitive patient data with large technology companies, social media companies, advertising firms, and data brokers. Hospitals within health systems, those affiliated with medical schools, and those serving urban patient populations were found to expose visitors to higher levels of tracking.
The OCR guidance connection:
The Office for Civil Rights (OCR) has issued guidance concerning online tracking and the Health Insurance Portability and Accountability Act (HIPAA). The guidance, which can be found here, warns covered entities of the risk of breaches, penalties, and fines associated with the use of third-party tracking on their websites. However, the prevalence of third-party trackers on hospital websites suggests that the guidance has not yet led to widespread change.
Dignitary harms and targeted advertising:
The widespread use of third-party tracking on hospital websites can result in "dignitary harms," or situations where sensitive health information is accessed by third parties without the individual's consent. This can lead to targeted health-related advertising, which may exploit patients' vulnerabilities and privacy.
Legal liability:
As hospitals facilitate the profiling of patients by third parties through tracking code on their websites, they expose themselves to potential legal liability. This can include HIPAA violations, which carry hefty fines and can damage a hospital's reputation.
FTC crackdown on privacy violations:
The Federal Trade Commission recently fined BetterHelp, an online therapy platform, $7.8 million for similar privacy violations. BetterHelp was found to have shared sensitive data with third-party trackers, violating its privacy promises. This indicates a crackdown on companies that engage in practices that compromise users' privacy and signals that the government is taking privacy breaches seriously.
The need for stronger privacy regulations:
Current federal privacy regulations do not adequately protect patients from the risks associated with third-party tracking. Strengthening privacy regulations and ensuring that hospitals comply with them would help safeguard sensitive patient information from being accessed and exploited by third parties.
Industry response and self-regulation:
While awaiting changes in privacy regulations, hospitals, and the healthcare industry should adopt a proactive approach to self-regulation. This includes:
- Carefully reviewing their use of third-party tracking on websites.
- Implementing privacy-by-design principles.
- Investing in robust data protection strategies to minimize privacy risks for patients.
Related: HIPAA Compliant Email: The Definitive Guide
The bottom line:
The widespread use of third-party tracking on hospital websites poses significant risks to patient privacy and may result in legal liabilities for hospitals. More robust privacy regulations, proactive measures by hospitals, and self-regulation within the healthcare industry are needed to safeguard sensitive patient information from being accessed and exploited by third parties.
Dean Levitt
