Nearly All US Acute Care Hospitals Transfer Data to Third Parties, Study Finds

April 05, 2023 - University of Pennsylvania researchers found third-party tracking technologies on nearly all US nonfederal acute care hospital websites, a Health Affairs study revealed.

Researchers studied all US hospitals included in the 2019 American Hospital Association (AHA) Annual Survey, narrowing their scope to nonfederal acute care hospitals that had an emergency department and were not freestanding long-term care facilities or ambulatory surgical centers.

Next, they used webXray, an open-source tool that allowed them to record third-party tracking. Of the 3,747 hospital websites analyzed, 98.6 percent had at least one third-party data transfer, and 94.3 percent had at least one third-party cookie.

These findings align with recent breach disclosures involving the use of tracking pixels on hospital websites, prompting multiple lawsuits against a variety of healthcare organizations and the tech companies that operate this technology.

Third-party tracking technologies, such as the Meta pixel, are common across the internet. These tools allow organizations to garner insights about the people using their sites but may also transfer sensitive data to non-HIPAA-covered entities, creating compliance complexities and potential breaches.

“Thus, despite being subject to HIPAA’s stringent privacy measures for protected health information, nearly all hospitals allow third parties to capture data about how patients and other users navigate their websites,” the study revealed.

“Our analysis suggests that if this phenomenon occurs across even a small proportion of third-party data transfers on hospital websites, many patients may be exposed to such violations.”

Alphabet (Google’s parent company) was the most common tracking entity among all the hospitals in the study, followed by Meta, Adobe Systems, and AT&T. The studied hospital website home pages had a median of 16 third-party transfers.

“We found that hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed website visitors to more third-party data transfers,” the study stated.

“Although further research is needed to examine the causes of this discrepancy, it may be influenced by multiple factors. These hospitals may strive to include more features on their websites, and the additional tracking is a product of including third-party functionality, such as embedding a Google Maps product onto a site.”

Additionally, the researchers suggested that these hospitals may rely more on online advertising to drive revenue, prompting them to install tracking tools.

Still, little is known about how third parties actually leverage tracking data, the study noted. But research suggests that third parties may be targeting patients with advertisements for pharmaceuticals, insurance products, and medical supplements.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” the Health Affairs study stated.

“These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

Hospitals should audit their websites to ensure that they are not impermissibly disclosing patient information to third parties. In addition, the researchers suggested that hospitals consult with their legal department before implementing any third-party tools.

The study authors emphasized that hospitals “have a responsibility to protect patients from unnecessary risks, including risks to their privacy,” both ethically and legally.