A New York hospital system settled with New York Attorney General Letitia James for $300,000 on December 27, 2023, after disclosing the protected health information (PHI) of individuals who visited their website. An investigation by the Office of the Attorney General (OAG) found that the hospital used advertising tools on its website that collected and shared private and personal information with third-party tech companies when visitors used the website to search for doctors or book appointments, in violation of the Health Insurance Portability and Accountability Act (HIPAA). As a result of the settlement, the hospital has agreed to change its policies, secure the deletion of PHI, and maintain enhanced privacy safeguards and controls.
The hospital system operates 10 hospitals across New York City and the surrounding metropolitan area and receives more than 2 million patient visits each year. The company’s website allows visitors to book appointments, search for doctors, learn about hospital services, and research information relating to symptoms and conditions. However, an investigation by the OAG found that the company did not have appropriate internal policies or procedures for vetting third-party tracking tools and did not review or vet third-party tracking tools for violations of policy or law prior to their deployment.
Between June 2016 and June 2022, the company used third-party tools to track visitors to its website for marketing purposes. These tools used snippets of code, known as tracking pixels or tags, that sent information back to the third party whenever a webpage loaded or a user took a pre-defined action, like clicking a link, submitting a form, or running a search using the website’s search function.
Third-party companies received a variety of information about the company’s website visitors, including the user’s IP address and the URL of the webpage that had loaded or the link that was clicked. In some cases, those companies received information about the user’s health, such as when a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment. Information about the user’s doctor or health condition were in some cases reflected in the URL. For example, if a user conducted a search using the words “spine surgery,” the URL of the search result page would include “spine-surgery” and the third party would receive that health information about the user.
Several third parties received unique identifiers that had been stored on users’ devices, allowing third parties to recognize users they had previously interacted with. One of the third parties also may have received first and last name, email address, mailing address, and gender information.
In June 2022, a journalist reported on the use of tracking tools on the company’s websites and their collection of sensitive health data. The company disabled the tracking tools soon after and contracted a third-party forensic firm to determine the extent of the data released. In March 2023, the company formally reported the incident affected over 54,000 people.
As a result of the settlement, the company has agreed to pay $300,000 and to adopt policies and procedures to prevent the disclosure of PHI through tracking tools, including:
- Maintaining appropriate policies and procedures on the use of third-party tools;
- Conducting regular audits, reviews, and tests of third-party tools before deploying them to a company website or app;
- Conducting regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools; and
- Instructing third parties to delete any PHI they received.
Healthcare providers can find guidance on HIPAA’s application to the use of tracking technologies in the document Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, issued by the Office for Civil Rights at the United States Department of Health and Human Services.
Compliance Perspective
Issue
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. An impermissible disclosure of an individual’s PHI not only violates the Privacy Rule, but also may result in a wide range of additional harm to the individual or others. Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other healthcare professionals, and where an individual seeks medical treatment. While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, now more than ever, it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the use of third-party tools. Ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
- Train staff on HIPAA, PHI, and the Privacy Rule. Train appropriate staff on the appropriate use of third-party tools. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Privacy Rule are being followed by all staff, and that each person demonstrates understanding and competency. Also audit third-party tools and review the contracts, privacy policies, and terms of use associated with them.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*