Healthcare Websites Face Urgent Privacy Issues

In December 2022, healthcare providers were alerted to potential privacy compliance issues due to third-party tracking technologies collecting and passing on user information on their websites. The Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) warned that using technologies like Meta or Google Analytics tracking on websites or apps would be considered a HIPAA violation if they were deployed without a business associate agreement (not a standard business practice by tracking entities) or patient consent. It should be noted that the American Hospital Association and other physician consortiums are fighting these guidelines in the courts, and the outcome of these cases will most likely become precedents.

Why are these government agencies paying particular attention to this vertical? They’re responding to a discovery by two publications, Stat and The Markup, that the Meta tracking pixel was transferring data to Meta (which is what pixels are meant to do), including sensitive patient data. The investigation focused on the top 100 hospitals, so it’s likely that many other hospitals are inadvertently transferring sensitive data to Meta as well. Out of those 100 hospitals, 7 of them had the Meta pixel on password-protected patient portals.

In response to these guidelines from the OCR, class action lawsuits have been filed, such as the two levied against Costco’s pharmacy. The lawsuits allege that Meta disclosed the private health information of individuals from their activities on Costco’s website without consent, which were then used to serve targeted ads related to their medical conditions.

So, if you are a healthcare provider with very common Facebook or GA tracking pixels, what should you do?

1. You should find out exactly on what pages you have tracking technologies. 
2. Determine what data is being collected and where it’s being sent.
3. Remove tracking from password-protected areas of your website.
4. Consult appropriate counsel or technology specialists to find out what alternative methods you can use to conduct your business.

ObservePoint can automatically scan websites and conduct a comprehensive audit on your MarTech. The platform provides detailed reports on every tag, cookie, and page automatically, at a cadence and depth you determine. 

In fact, in our annual report for 2023, we used our platform to scan over 11,000 homepages to determine how companies of various sizes and industries were managing their websites. Let’s look at some sub-industry details from that data set to see how the healthcare industry is doing with their websites.

Filtering by Hospitals and Physicians’ Clinics as the primary industry gives us 220 websites. 

• Page load time was 4.39 seconds, slightly longer than the report-wide average of 4.23 seconds. Best-performing websites load in under 3 seconds.
• The average number of tags for this industry is 20.87, slightly below the report’s average of 25.62. 
• The most common tag was Google Global Site or Google Analytics: these showed up on over 140 sites, more than half. 
• The Meta/Facebook tag was on 65 sites.
• Only 16 hospitals/clinics employed a Consent Management Platform to manage visitor consent preferences.

So there’s a high chance that you’ve got Google Analytics or Facebook on your healthcare provider’s site, and that’s something you need to dig into quickly. Thankfully, a solution like ObservePoint can be quickly deployed on your site to tell you exactly what tracking technologies are on which pages, sending what data to whom. Assess what changes you would need to make to your privacy program and have answers when addressing regulatory bodies.

Start a Free Trial now, to dive right into the product and see how it could immediately help.