Nearly all hospital websites track visitors, but most don't specify who else is seeing users' data

Nearly all hospitals’ websites collect and transmit user information to third parties, yet most do not have privacy policies that tell the visitors who exactly will be receiving those data, according to a new JAMA Network Open study.

Across a representative sample of 100 nonfederal acute care hospitals reviewed from November to January, researchers found that 96 of their websites transmit user information to third parties, per data published by the journal April 11.

Seventy-one websites had privacy policies that largely disclosed the types of user information being collected (97.2%), how the information was being used (98.6%) and what types of third parties would be receiving it (93%). However, only 40 hospital websites named specific third parties or services that would be receiving the user data.

“To effectively protect user privacy, hospitals should carefully weigh the costs and benefits of including third-party trackers on their websites and should eliminate unnecessary third-party tracking technologies,” University of Pennsylvania researchers wrote in the study. “They should also ensure that they have accessible and comprehensive privacy policies, which allow others to hold the hospitals accountable for their privacy practices and give users the resources they need to make informed decisions about website use.”

The research, which builds upon the authors’ 2023 review of hospital website trackers, underscores regulatory risks many hospitals could face if their published website privacy policies fall short of Federal Trade Commission standards.

Hospitals may “generally not be required under federal law” to disclose their practices through a website privacy policy, they wrote. However, published privacy policies “can become legally binding documents, and breaches of such policies can elicit breach of contract claims under state law.”

Though not specifically addressed in the study write-up, the widespread collection and dissemination of web traffic outlined in the research would also put the hospitals at odds with the Department of Health and Human Services (HHS) Office for Civil Rights' controversial policy that considers tools like Meta Pixel and Google Analytics to be a potential violation of the Health Insurance Portability and Accountability Act.

The policy was published in a late 2022 guidance bulletin—updated last month—that was challenged by the American Hospital Association (AHA) in a lawsuit filed in November.

The authors’ prior study, published last April in Health Affairs, had found third-party transfers present on 98.6% of more than 3,700 homepages. The more recent sample’s 96% rate suggests no substantial changes in the sector’s practices over the past year despite several privacy lawsuits and payouts hospitals have weathered in recent years.

Meanwhile, hospital industry groups are maintaining their stance against the “unlawful and unwise” rule. Thursday, the AHA filed a reply brief that critiqued last month’s “inconsequential modifications” to the guidance that it noted came “just days before [HHS’] brief was due.”

Pre- and post-update, HHS said the rule “is unmoored from statutory text and purpose, as well as practically unworkable and internally inconsistent” and urged the court to “put an end to this embarrassing saga of regulatory overreach and bar enforcement.”

Legal experts told Fierce Healthcare shortly after the update that the department’s changes offer little practical relief for healthcare organizations as the exclusion is based on circumstances "nearly impossible to ascertain." Still, they advised covered entities, like hospitals, to review their websites and mobile apps to ensure compliance.