Discover your responsibilities in protecting patient internet use data. Most websites collect data about their visitors through tracking technology, and healthcare providers’ websites are no exception. Website user data like this is often collected by third-party sources that analyze it to better understand visitors’ habits and produce more and better targeted advertisements. But this common practice can be a thorny issue to healthcare providers. Keep reading to distinguish data tracking myths from reality. Myth 1: Tracking Technology Doesn’t Exist in a Free Country Like the U.S. Reality: Tracking technologies are codes or scripts embedded in websites or mobile apps that third parties use to collect and analyze data to understand the users’ online activities and are certainly present in the U.S. App developers also use tracking technology to gather mobile device information, such as the device ID or advertising ID. Third parties use the mobile device information to construct individual profiles for each app user. Examples of tracking technologies include: Common tracking technology services include, but are not limited to: Myth 2: Tracking Technology Exists Only for Ecommerce Websites Reality: While you might expect this technology to exist on shopping websites and social media, many healthcare organization and hospital websites as well as health-related apps are built with the tracking technology. In the April 2023 issue of Health Affairs, University of Pennsylvania researchers published their findings after surveying third-party tracking technology on hospital websites. Researchers evaluated 3,747 U.S. hospitals’ websites over a three-day period in 2021. The team used an open-source software tool, WebXray, to identify third-party tracking technology code and recorded data requests on the hospitals’ websites. The researchers found that 98.6 percent of the hospitals had at least one tracking code type on their websites that transferred information to third parties. The study also showed that 94.3 percent of hospitals used at least one third-party cookie. “By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote Ari B. Friedman, MD, PhD, assistant professor of emergency medicine at the Perelman School of Medicine at the University of Pennsylvania in Philadelphia, Pennsylvania, and the other researchers. Companies who have access to the data could use the information to generate targeted advertising that addresses each patient’s health conditions or concerns. The targeted ads could promote certain medications or treatments. Myth 3: HIPAA Doesn’t Extend to Website Usage Reality: In addition to the technology’s benefits, organizations must be aware of the potential risks associated with using the technology. One major risk is unauthorized disclosure of patients’ protected health information (PHI). In fact, the technology needs to be compliant with HIPAA regulations. According to the Department of Health and Human Services (HHS), “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Regulated entity definition: Regulated entities are better known as business associates regarding compliance. According to the HHS, a business associate is any person or organization that performs actions where they are required to use or disclose PHI “on behalf of, or [provide] services to, a covered entity.” Examples of business associates include pharmacies, medical coders, and consultants who perform use reviews for hospitals. Releasing the patients’ PHI without their consent could lead to identity theft, data breaches, fraud, and scams. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals,” Dr. Friedman wrote in the University of Pennsylvania study. Myth 4: No One is Paying Attention to Tracking Safety On July 20, 2023, the Federal Trade Commission (FTC) and the HHS Office for Civil Rights (OCR) issued a joint letter warning telehealth providers and hospital systems of tracking technology risks. The letter highlights privacy and security risks associated with using tracking technologies in websites and mobile apps. The agencies listed the following items as sensitive information that could be impermissibly disclosed: “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, director of the OCR, in a press release. Myth 5: Providers Don’t Need to Worry About Enforcement Actions Reality: Healthcare organizations must remain vigilant to ensure the code in their websites or mobile apps remains HIPAA compliant — especially if the code contains tracking technology that transfers data to a third party. If that technology violates HIPAA compliance and shares PHI or ePHI with outside entities, then your organization and the third parties can face monetary and legal penalties. For example, from June 2016 to June 2022, the New York-Presbyterian Hospital system used third-party tracking tools on the system’s websites to monitor website visitors’ activities. The data was then used for marketing purposes. The tracking technologies collected a wide range of information about the hospital’s website visitors, including IP addresses, webpage URLs, searched doctors, and searched health conditions. Third parties may have also received information unique to each user’s device. On Dec. 27, 2023, New York Attorney General Letitia James and The New York-Presbyterian Hospital reached a settlement in which the hospital paid $300,000 to the state for unauthorized disclosures of health information of website visitors.