The Department of Health and Human Services and the Federal Trade Commission sent a joint letter to hospitals this summer warning them that using third-party analytics tools on their websites could violate HIPAA. But a new analysis from data security company Lokker found that hospitals are doing a poor job of fixing their websites and preventing patient data collection.
Some common examples of third-party analytics software used by providers include Meta Pixel, Google Analytics and Adobe Analytics. These tools are usually free and can give hospitals insight into the way consumers use their websites, but the tech companies who provide this software can also use patient data to profile Internet users as they browse.
The letter sent by HHS and the FTC was just the latest action in a saga that began in June of last year when The Markup published an investigation about healthcare providers’ use of web tracking tools. The report found that many provider websites were using these tools and unintentionally sharing people’s personal health information with social media companies.
Lokker looked at 22 hospitals that have been named in class-action lawsuits for using online trackers in 2022 and early 2023, including Cedars-Sinai, UPMC and Advocate Aurora Health. Most of them were still using third-party analytics tools on their websites.
For example, 13 of the 22 hospitals had Google Analytics’ tracking technology on their site — even though HHS’ Office of Human Rights warned providers in December that this tool can violate HIPAA. Another tracking tool made by Google, the DoubleClick tracker, was used by 17 of the hospitals.
Eight of the hospitals included in the analysis used session recording tools — which can record users’ behavior online without their knowledge or consent. These trackers can sometimes record sensitive data, such as information typed into forms or search bars, Lokker CEO Ian Cohen pointed out in an interview.
“If I search for a symptom checker for cancer or addiction, I don’t want that data going to Facebook,” he said. “Now I have a social media company knowing that I’m looking for cancer symptoms online, but I don’t want to share that. There’s just a vast overcollection of data, and when that applies to a highly regulated space like healthcare, it’s pretty uncomfortable and pretty plain for a normal person to see why it’s not a good thing.”
The analysis also looked at 20 additional hospitals that were not facing legal action for their use of web tracking tools. Eighty percent of these hospitals were using the DoubleClick tracker, 60% were using Google Analytics, 25% were using Meta Pixel and 30% were using session recording tools.
Additionally, the analysis examined the websites of the country’s 10 largest children’s hospitals by revenue. They were included to see if extra precautions were taken by these providers, given the significance of children’s privacy and data sharing. The answer was “no” — all hospitals had the DoubleClick tracker on their websites, 90% had Google Analytics, and half had Meta Pixel and session recording tools.
Hospitals aren’t failing to comply with privacy standards because they’re ignoring the problem, though. Data privacy compliance is not easy to achieve, especially as web tracking technology gets more advanced, Cohen declared. There are dozens of privacy laws to keep up with, and they often vary from state to state, he explained.
When hospitals build their websites, they use a lot of third-party software. Not only do they use dozens of third-party tools, but those third parties use other third-party tools as well, Cohen noted. This results in an “exponential growth of the number of people who can track data on a website,” which is a hard thing to control, he pointed out.
“And if a hospital went and just shut down all of their third parties, their sites would be almost unusable. It’s actually a pretty hard task,” Cohen said.
While compliance can be difficult, noncompliance can be expensive, he noted. Hospitals that are facing class-action lawsuits from patients over the use of web tracking technology will likely have to cough up millions of dollars, Cohen predicted.
To ensure they are not violating HIPAA, hospitals “need tech to fix tech,” he declared — they need to adopt software that constantly scans their websites to see if third-party tracking tools are accessing patient data.
“You can’t rely on consent alone. A lot of people use tools like consent, but that’s not working. I’m not saying it’s not part of the solution, but it’s not working. You need to actually have real-time detection and enforcement to see if bad things are happening on your site. You need to be able to detect it and block it,” Cohen explained.
Photo: roshi11, Getty Images