Nearly all hospitals have them
By BECKY GILLETTE
Most people who use the internet are accustomed to getting unsolicited advertisements after shopping for a certain product. But what about being a patient diagnosed with a serious medical condition who starts receiving unsolicited online advertisements for “cures” for their condition? First, it is a violation of privacy for highly sensitive personal health information to be disclosed to an advertiser. Second, some patients may make the mistake of believing “snake oil” salesmen instead of their healthcare providers about the best treatments.
Shockingly, the potential for breaches of private health information through hospital websites is very common. According to a recent study by the University of Pennsylvania published in Health Affairs, 99 percent of U.S. hospitals have third-party tracking on their hospital websites. By allowing third-party tracking of confidential patient data on websites, hospitals are violating Health Insurance Portability and Accountability Act (HIPAA) regulations exposing patients to targeting by advertisements for fraudulent health cures while opening hospitals to liabilities that could include sanctions and the loss of Medicare and Medicaid reimbursements, said Marcus Schabacker, MD, PhD, president and CEO of the non-profit ECRI.
Schabacker said it is understandable there is third-party tracking on hospitals websites since that information can be used to determine what parts of the website are getting good traffic and provide information for improving websites. But he said third-party tracking allowing the transfer of sensitive health data to technology and social media companies, advertising firms, and data brokers should stop immediately. Schabacker said hospitals should also, if necessary, notify patients of a breach in security regarding their private health information.
ECRI, an independent, nonprofit organization whose mission is improving the safety, quality, and cost-effectiveness of healthcare, recommends updating HIPAA laws to address these violations of privacy that can allow nefarious, bad actors to target vulnerable people living with severe health conditions with advertisements for non-evidence-based treatments that are expensive and, at best, do nothing. At its worst, they can cause delays in proper treatment, injury or even death.
“Illegal transfers of health information are annoying and an invasion of privacy, but what we are most concerned about is there is a potential for real harm,” Schabacker said. “It can expose patients who may be frightened and vulnerable to approaches from vendors who don’t necessarily provide approved remedies for a particular disease. Imagine someone in dire straits and trying to find as much information as possible for themselves or loved ones. This kind of tracking allows companies that don’t have an approved product for specific diseases to target vulnerable people who are desperate for additional information. Technically it is also a HIPAA violation because the government clarified in December 2022 that HIPAA applies to hospital websites and that IP addresses do qualify as a patient identifier—just as do names, birthdates and Social Security numbers. This could be considered a violation of HIPAA and hospitals might be sued.”
Why do hospitals allow this? Schabacker said he doesn’t think it is deliberate or that hospitals are getting a kickback. But hospitals may be getting their website services at a discount by allowing the tracking.
“Trackers charge hardly anything but hospitals don’t understand what is going on in the background,” he said. “The IT department and senior management probably are not even aware it is happening. Under HIPAA, there is a business associates’ agreement that clearly identifies what can be done with confidential patient data and specifies that data must be protected. You need business protection agreements with vendors if you are going to use this third-party tracking service.”
Individual users can take action to prevent websites from tracking their information. But many people might not be sophisticated enough with their IT knowledge to know how to do block trackers.
In addition to legal exposure for lawsuits, ERCI sees other liabilities including penalties and even losing the hospital’s license with the Centers for Medicare and Medicaid Services.
“So, it is a serious issue,” Schabacker said. “It is not to be taken lightly.”
ECRI proposes a holistic overhaul of HIPAA laws to start addressing the state of IT today regarding the capabilities of data collections and analytics. A lot of HIPAA laws were created in 1996, which Schabacker refers to as “the stone age of IT.”
“The whole medical field is still behind in the IT consumer area,” he said. “It will take a concentrated effort for all involved — the healthcare industry, IT people and the government — to really review this and make sure patients are protected from advertising of unsolicited offers of remedies and products.
For more information about ECRI, visit their website www.ecri.org.