Almost every hospital's homepage is sending visitors' data to third parties, study finds

Nearly all nonfederal acute care hospitals’ websites track and transfer data to a third party, potentially fueling the unwanted disclosures of patients’ sensitive health information and opening up that hospital to legal liability, according to a recently published University of Pennsylvania analysis.

The census of more than 3,700 hospital homepages found at least one third-party data transfer among 98.6% of the websites as well as at least one third-party cookie on 94.3%, researchers wrote in Health Affairs.

The hospitals’ homepages had a median of 16 third-party transfers, more of which were found among medium-sized (100 to 499 beds) hospitals, nonprofit hospitals, urban hospitals, health system-affiliated hospitals and those that weren’t serving the largest portion of patients in poverty, they wrote.

The findings come as more and more disgruntled patients file individual and class-action lawsuits against providers for sharing their personally identifying information through website trackers.

Many of these complaints cite Facebook parent company Meta’s Pixel tracker, which a June 2022 investigation from The Markup detected on about a third of large hospitals’ websites. That report found evidence that, in some instances, the sensitive data transferred to third parties met the criteria for a HIPAA violation.

“Our analysis suggests that if this phenomenon occurs across even a small proportion of third-party data transfers on hospital websites, many patients may be exposed to such violations,” the researchers wrote in their study.

Alphabet was far and away the most common tracking entity detected among the sample and was present among 98.5% of the hospital websites, according to the analysis. It was followed by Meta (55.6%), Adobe Systems (31.4%) and AT&T (24.6%).

The team also conducted a manual search of 100 randomly selected hospital websites for dedicated patient-facing pages relating to six sensitive health conditions, of which 30 hospitals had pages for all six. All 30 of those websites had at least one third-party data transfer across their six condition pages and totals that were roughly similar to the totals measured across homepages, the researchers wrote.

“These practices have led to lists of patients with particular disease types and their information, including their telephone numbers and home addresses, being available for purchase,” the researchers wrote. “Third-party tracking code on hospital webpages may facilitate these types of health-related tracking.”

The researchers built their sample of nonfederal acute hospitals using responders from the 2019 American Hospital Association Annual Survey. They assessed the presence of any third-party tracking using an open-source, automated detection tool over a three-day period in August 2021.

The Department of Health and Human Services’ Office for Civil Rights (OCR) released a notice in December clarifying that, although HIPAA-regulated organizations may use trackers such as Google Analytics or Meta Pixel to perform data-based operations analyses, other data privacy requirements still apply on webpages with general information such as a homepage.  

“The bulletin notes, for example, that including tracking code that collects a person’s IP address on an ‘unauthenticated webpage that addresses specific symptoms or health conditions’ would constitute the disclosure of protected health information to the tracking technology vendor,” the researchers wrote in the journal article. “This guidance implies that HIPAA rules would apply to a potentially vast number of third-party data transfers on hospital websites.”

It's currently difficult to gauge the potential impact such widespread tracking and transfers may be having on patients, the researchers continued. The tracking could, for instance, lead individual patients to receive more targeted ads for health products that differ from best practices or the advice of their physician, thereby fueling worse outcomes or lower value healthcare spending.

“Although public health campaigns may also use targeted advertising to reach specific populations, public advertising budgets are smaller than private spending, limiting their relative impact,” they said.

The team advised policymakers to specifically address these trackers in upcoming privacy legislation, “ideally by prohibiting the practice.”

In the meantime, based on the lawsuits, settlements and OCR guidance, hospitals would be best served by reviewing the privacy policies of any installed third-party trackers, disclosing the use of trackers to website visitors and implementing simple methods for patients to opt out of tracking if they so choose, the researchers concluded.