Hospitals' legal win shows HIPAA's limits in shielding patient data
Add Axios as your preferred source to
see more of our stories on Google.
/2024/09/04/1725449980959.gif?w=3840)
Illustration: Annelise Capossela/Axios
A recent legal win by the hospital industry over its use of website tracking technology could leave patients' data vulnerable to being shared with online marketers, data brokers, and social media platforms.
Why it matters: The case highlights the limits of the Health Insurance Portability and Accountability Act, or HIPAA — passed back in 1996 — to protect patients' health information in the digital age.
Driving the news: The Department of Health and Human Services last week dropped an appeal after a federal judge in Texas in June ruled that the department overstepped its authority by blocking hospital websites from using standard tracking technologies that capture IP addresses on portions of their public-facing webpages.
- The American Hospital Association sued HHS last year after the agency told hospitals they were violating HIPAA by using tracking tools, such as those from Google and Facebook.
- The agency declined to comment for this story, saying they do not comment on litigation.
The big picture: A basic tenet of the modern Internet is the tracking of individuals' online activity via tools like cookies or pixels. Hospitals have pointed out that HHS itself uses these tools on its own website.
- Websites use the data they scoop up to improve user experience of the site, track success of their content, and retool it for more clicks.
But privacy experts say third-party companies could piece together breadcrumbs of data from hospital website users that could ultimately reveal patients' health information to data brokers and advertisers.
- A 2023 study from the University of Pennsylvania found nearly 99% of hospital websites were using third-party tracking, "including transfers to large technology companies, social media companies, advertising firms, and data brokers."
Between the lines: Hospitals say they've been put in a tough position and applauded HHS' decision to abandon its appeal.
- "HHS is relying on hospitals and other caregivers to provide the world with accurate, reliable, not misleading healthcare information," American Hospital Association general counsel Chad Golder told Axios.
- But, "They were putting these restrictions that could expose hospitals to civil penalties for every YouTube video on the value of COVID vaccines if we gave IP addresses to Google," he said. "You can't have it both ways."
- For its part, Google told Axios that site owners are in control of what information is collected and that Google Analytics does not collect IP addresses.
The other side: "You might not care that Google knows you were looking at a new pair of shoes on Zappos last week," said Matthew McCoy, a researcher at the University of Pennsylvania who studies the use of trackers on hospital websites.
- But, most patients may not feel as comfortable with their health provider sharing with third parties every search for health information they're making, he added.
- In just one example, it's possible data with personally identifiable information could be sold to a sketchy advertiser to target snake oil medical products to patients looking at websites relevant to particular diseases.
- "We really don't know, and that's the whole point," McCoy said. "There's a whole universe of entities that are collecting this data, and there's very little scrutiny on what they do with it directly, or how they repackage it and sell it on to other actors."
The intrigue: There is an emerging market specifically for businesses that help health care providers run websites with HIPAA-compliant tracking.
- About four years ago, a company called Freshpaint started getting strong interest from health tech companies that were concerned about the data they were sharing with online trackers and began building tools to help them limit the data they shared, the company's spokesperson Ray Mina said.
- "We tried to go to traditional healthcare, and they were like, 'Why do I care about web trackers on my marketing site that's not my authenticated portals?"
- But then, HHS released its guidance in late 2022 about data sharing being a HIPAA violation. "Since then, it's just been like staggering growth for our company," he added.
What we're watching: Regulators will ultimately have to answer the bigger question of how to protect the fast-evolving landscape of patient data held by tech companies.
- Congress is still working on a data privacy bill aimed in part at filling in the gaps of HIPAA, and a growing number of states are passing their own laws that also apply to patient data.
- The Federal Trade Commission has also signaled its intentions to crack down on tech companies sharing patient data.
