By Becky Gillette
Most people who use the internet are accustomed to getting unsolicited advertisements after shopping for a certain product. But what about a patient diagnosed with a serious medical condition who starts receiving unsolicited online advertisements for “cures”? First, it is a violation of privacy for highly sensitive personal health information to be disclosed to an advertiser. Second, some patients may make the mistake of believing snake oil salesmen instead of their healthcare providers about the best treatments.
Shockingly, the potential for breaches of private health information through hospital websites is very common. According to a recent study by the University of Pennsylvania published in Health Affairs, 99 percent of U.S. hospitals have third-party tracking on their hospital websites. By allowing third-party tracking of confidential patient data on websites, hospitals are violating Health Insurance Portability and Accountability Act (HIPAA) regulations, exposing patients to being targeted with advertisements for fraudulent health cures while opening hospitals to liabilities that could include sanctions and the loss of Medicare and Medicaid reimbursements, according to Marcus Schabacker, MD, PhD, president and CEO of ECRI, which is a non-profit dedicated to improving the safety, quality, and cost-effectiveness of care across all healthcare settings
“It is understandable there is third-party tracking on hospital websites since that information can be used to determine what parts of the website are getting good traffic and provide information for improving websites,” Schabacker said. “But third-party tracking that allows the transfer of sensitive health data to technology and social media companies, advertising firms, and data brokers should stop immediately. Hospitals should also, if necessary, notify patients of a breach in security regarding their private health information.”
ECRI recommends updating HIPAA laws to address these violations of privacy that can allow nefarious actors to target vulnerable people living with severe health conditions with advertisements for non-evidence-based treatments that are expensive, and at best, do nothing. At its worst, they can cause delays in proper treatment, injury or even death.
“Illegal transfers of health information are annoying and an invasion of privacy, but what we are most concerned about is there is a potential for real harm,” Schabacker said. “It can expose patients who may be frightened and vulnerable to approaches from vendors who don’t necessarily provide approved remedies for a particular disease. Imagine someone is in dire straits and trying to find as much information as possible for themselves or loved ones. Then this kind of tracking allows companies that don’t have an approved product for specific diseases to target vulnerable people who are desperate for additional information. Technically, it is also a HIPAA violation because the government clarified in December that HIPAA applies to hospital websites and that IP addresses do qualify as a patient identifier—just as do names, birthdates and Social Security numbers. This could be considered a violation of HIPAA and hospitals might be sued.
“This could happen because sometimes hospitals can get their website services at a discount by allowing tracking. Trackers charge hardly anything, but hospitals don’t understand what is going on in the background. The IT department and senior management probably are not even aware it’s happening. Under HIPAA, there is a business associates’ agreement that clearly identifies what can be done with confidential patient data and specifies that data must be protected. You need business protection agreements with vendors if you are going to use this third-party tracking service.”
Individual users can take action to prevent websites from tracking their information. But many people might not be sophisticated enough with their IT knowledge to know how to block trackers.
In addition to legal exposure for lawsuits, ERCI sees other liabilities including penalties and even losing the hospital’s license with the Centers for Medicare and Medicaid Services. ECRI proposes a holistic overhaul of HIPAA laws to start addressing the state of IT today regarding the capabilities of data collections and analytics. A lot of HIPAA laws were created in 1996, when the internet was in its infancy.
“The whole medical field is still behind in the IT consumer area,” Schabacker said. “It will take a concentrated effort for all involved—the healthcare industry, IT people and the government--to review this and make sure patients are protected from advertising of unsolicited offers of remedies and products.”