New York-Presbyterian Hospital (NYP), a large academic medical center, recently agreed to pay a $300,000 fine to state regulators.
What happened
The New York State Attorney General’s office and NYP settled a privacy violation. Allegedly, NYP used tracking technology in its patient portal and website.
According to court documents, NYP operates ten hospitals across New York City and surrounding areas, receiving more than 2 million visits annually. Between June 2016 and June 2022, NYP used third-party tools on their websites to track visitor information for marketing purposes.
Most third parties received the user’s IP address and information about what they were researching, other third parties received information on the user’s cookies, and Meta may have received names, email and mailing addresses, and gender information.
NYP has agreed to pay a fine of $300,000 and institute several corrective measures.
Going deeper
The U.S. Department of Health and Human Services (HHS) issued a guidance stating that HIPAA-covered entities could not use tracking in a way that could result in Protected Health Information (PHI) being disclosed.
Despite the clear stance, stopping the usage of tracking tools is more complex than it may appear. Many hospitals relied on third-party organizations that required the usage of tracking. Hospitals are finding themselves either having to renegotiate with the third parties they use, or cease working with certain ones altogether.
For NYP, alongside the fine, they’ll have to follow a plan to ensure data is protected in the future. Requirements include the deletion of patient data from the tracking tools and an audit, review, and test of any future tools to determine if a tool may have access to PHI. In one year, NYP will undergo an independent assessment to ensure they have resolved any privacy concerns.
Why it matters
Beginning in 2023, Paubox has seen a slew of lawsuits regarding pixel usage. Even when a hospital ceases use, like NYP ultimately did, it can still be found responsible for the potential damages caused.
While Meta and Google are frequently talked about when it comes to pixel usage, this case is an important reminder that pixels can be found in a variety of tools. NYP’s website was also found to have tags from third parties including Bing, DoubleClick, iHeartMedia, TikTok, the Trade Desk, and Twitter.
Hospitals or other HIPAA covered entities should carefully assess all tools for potential tracking technology.
Read more: Meta claims hospitals are to blame for Meta Pixel HIPAA violations
What was said
In a statement, NYP said, “We are pleased to have reached a resolution with the New York State attorney general on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority.”
The bottom line
NYP, with multiple large hospitals, can continue to serve patients despite the penalties and changes required by the attorney general.
For small operations, it can be much more difficult to recover from financial losses or the sometimes significant changes to policy and procedures. Organizations should always be diligent regarding HIPAA compliance to ensure they avoid hefty fees or exposing patient data.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
