Hospitals and healthcare organizations have come under fire for their use of third-party web tracking technologies and analytics software like Facebook parent company Meta’s Pixel tracker.
These tech tools provide traffic monitoring metrics and insights for hospitals but also often gather and send identifiable information about users to outside parties, often without their knowledge.
Web traffic monitoring tools such as the Meta Pixel and Google Analytics are a mainstay on thousands of hospital websites, but, since a June 2022 investigation from The Markup, have become the focus of sometimes costly class-action lawsuits.
In December 2022, HHS’ Office for Civil Rights (OCR) issued guidance to hospitals warning that the services are a likely Health Insurance Portability and Accountability Act (HIPAA) violation.
Recently, the Federal Trade Commission (FTC) and HHS issued a joint warning to hospitals and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps. These technologies may be impermissibly disclosing consumers’ sensitive personal health data to third parties, the agencies warned.
Since then, OCR and the Federal Trade Commission have sent warning letters to more than a hundred hospital systems and telehealth providers that have integrated the tools into their websites or apps, which were made public in September (PDF).
Healthcare organizations now find themselves navigating a labyrinth of compliance laws and evolving data privacy regulations surrounding the use of cookies, tracking technologies, digital advertising and analytics.
With the aim of bringing a "privacy-first" approach to healthcare marketing, WebMD Ignite, a division of WebMD and Internet Brands, is teaming up with privacy platform Freshpaint to help healthcare organizations stay in compliance with privacy regulations.
WebMD Ignite is a division of the online healthcare information provider that offers tech solutions to providers and health plans.
Freshpaint was founded in 2019 by veterans of the web analytics industry. The startup aims to bridge the gap between patient privacy and digital marketing by ensuring sensitive data is never shared with tools that aren’t HIPAA-compliant.
The company developed a data-sharing platform that enables healthcare marketers to continue to use the most advanced ad, analytics and personalization tools – without heavy engineering or long implementation times.
The partnership promotes compliance for hospitals, health systems and health plans through a privacy-first approach to using Google Analytics, Google Ads, Facebook Ads and other marketing tools that rely on web-tracking technologies, according to the companies.
"Getting the right information to the right people is critical in a healthcare setting. That takes understanding a consumer's unique circumstances and needs. At the same time, protecting privacy and security are also paramount. In the face of constantly evolving regulations, doing both can be exceedingly difficult," said Ann Bilyew, senior vice president, health and group GM, WebMD Ignite. "That's why we are collaborating with a privacy leader to help our valued client partners balance driving high-performance healthcare outreach efforts while maintaining consumer privacy."
WebMD Ignite is integrating Freshpaint's healthcare privacy platform into its products and will offer it to healthcare organizations who want to layer on their own product stack, Bilyew said.
Existing WebMD Ignite clients will have their products configured and powered by Freshpaint to manage their privacy and data settings.
Freshpaint's technology removes non-compliant tracking technologies to support HIPAA compliance and also de-identifies and masks individual visitors to enable performance reporting.
The company's tech also controls data flow across the entire marketing tech stack to prevent protected health information (PHI) from reaching destinations where organizations do not have a business associate agreement.
"The partnership [with WebMD Ignite] will give healthcare organizations of all sizes a privacy-first approach to using the tools and services they need to do high-performance marketing, while helping to maintain HIPAA compliance," said Steven Fitzsimmons, co-founder of Freshpaint.
WebMD Ignite has a huge reach in the healthcare industry as its brands include WebMD, Medscape, Krames, PulsePoint, Vitals, The Wellness Network and Mercury Healthcare. WebMD reports 85 million unique visitors and month and 95% of physicians are members of Medscape, according to Bilyew.
"At the end of the day, consumers have come to expect and demand that the organizations they interact with know and understand their preferences and understand their needs. I think that's especially true when you're talking about the intimate relationship that a person has with their care providers," she said. "With healthcare, there is this overlay of privacy. Patients are equally concerned about keeping their data and their information private. We have to walk that fine line between knowing and understanding that patient and caring about their needs and also keeping their data sacred and protected. Helping health systems achieve that balance is very important."
Concerned about the potential privacy risks of third-party web tracking technologies, many health systems are now "flying blind," Bilyew said. "They've stripped all of the pixels off any website-related content that they have, which means they have no idea who's coming to the web pages and they have no idea who's interacting with them in a digital format," she said.
Freshpaint developed an innovation solution that's flexible, simple and sophisticated that enables health systems to be "in the driver's seat in terms of how, when and with whom they share data," she noted.
Fitzsimmons described Freshpaint's privacy platform as a "giant switchboard" that gives customers control over data is shared with third-party companies. "They're able to take a privacy-first approach to standing up marketing initiatives," he said.
New compliance laws and evolving data privacy regulations pose a challenge for healthcare organizations but Fitzsimmons believes that HHS and FTC are taking the right approach to clamp down on data trackers.
"What we're showing here, by partnering with WebMD, is that protecting patient privacy and having great marketing and great consumer experiences, those two things are not diametrically opposed," he said.
A major hospital lobby, the American Hospital Association, is pushing back on HHS' new data tracker policy. In a recent letter to lawmakers, AHA painted the 2022 OCR guidance as “simply bad public policy.”
From a legal perspective, AHA took issue with OCR’s “misguided view” that a technology’s connection of an individual’s IP address and a public webpage addressing specific health conditions or care providers meets the bar for HIPAA’s protections.