Lokker recently studied healthcare websites and discovered extensive use of Meta Pixel tracking code. 33% of the reviewed healthcare sites still employ Meta pixel tracking code, despite the threat of legal cases, data breaches, and penalties for HIPAA non-compliance.
Use of Website Tracking Technologies in the Healthcare Sector
A study performed in 2021 investigated the websites of 3,747 hospitals in the U.S. and discovered that 98.6% of the hospitals utilized one or more types of tracking codes on their hospital web pages that transmitted information to third parties. The Markup/STAT conducted a study in 2022 involving the websites of the top 100 hospitals in the United States, which revealed that one-third of the hospitals put tracking technologies on their web pages that transmit visitor information, such as protected health information (PHI), to third parties.
In December 2022, the HHS Office for Civil Rights published guidance for HIPAA-covered entities concerning the usage of website tracking codes. The guidance stated that these technologies violate HIPAA except if a business associate agreement (BAA) is entered into with the code vendor or patient consent is obtained. OCR and the Federal Trade Commission wrote to about 130 healthcare companies in July 2023 cautioning them regarding the compliance issues of utilizing tracking technologies, following the discovery of these tools on their web pages. In March 2024, OCR revised its guidance, most likely in response to a legal case by the American Hospital Association. Nevertheless, OCR’s view that BAA or authorizations are necessary hasn’t changed.
Several hospitals and health systems have submitted reports to OCR involving the use of tracking technologies as data breaches. Numerous lawsuits were filed against hospitals in relation to using these tools. Some lawsuits ended in big settlements. For instance, Novant Health paid $6.6 million to resolve a lawsuit filed by patients whose PHI was disclosed to third parties as a result of using tracking codes. The FTC is likewise imposing the FTC Act concerning tracking codes after BetterHelp paid consumers a total of $7.8 million as refunds for exposing sensitive health information without authorization. States also enforce penalties for using Meta pixel or other website trackers. For instance, New York Presbyterian Hospital paid the New York Attorney General $300,000 for a Pixel-related HIPAA violation.
Lokker’s 2024 Study of Website Tracking Technologies
Web data privacy and compliance solutions provider, Lokker, studied 3,419 websites from four industries (technology, healthcare, retail, and financial services) to explore three critical risk areas.
- Unauthorized collection of consumer information via third-party trackers, pixels, and tags.
- How privacy tools frequently fail to satisfy the demands of new laws.
- The rising complexities of safeguarding the data privacy of consumers.
The study investigated the danger of data brokers disclosing consumer information to international adversaries. In all industries, 12% of sites contained the TikTok pixel, which includes 4% of healthcare organizations. Although the privacy threats related to this pixel are less than other tracking tools, the data gathered by TikTok pixel could be transmitted to China. 2% of sites, 0.55% of healthcare sites included, use pixels and other web trackers provided by Iran, China, or Russia. Transmitting data to foreign countries is a big issue for the American government. President Biden authorized an Executive Order on February 2024 to stop the disclosure of U.S information with foreign countries.
Surprisingly, with the substantial media coverage, HIPAA support, regulatory penalties, and lawsuits related to website tracking codes, 33% of healthcare companies still put Meta pixels on their web pages. Lokker discovered about 16 trackers and at most 93 trackers on healthcare sites. The most popular trackers utilized by healthcare companies were Meta (facebook.com, facebook.net), Google (doubleclick.net, googletagmanager.com, google-analytics.com, googleapis.com, google.com, youtube.com), Microsoft (linkedin.com), and ICDN (icdn.com). There seem to be misunderstandings regarding getting permission from website guests and collecting their information using tracking technologies like cookies and pixels. Based on OCR guidance, using a banner on a web page informing visitors concerning the use of tracking systems doesn’t make up a legal HIPAA authorization. These authorization banners were found on the web pages of 59% of healthcare companies.
These authorization banners usually do not work as expected, as 98.5% of web pages show cookies on page load. According to Lokker’s report, 33 cookies on average are loaded before the appearance of consent banners, and these banners frequently misclassify or ignore cookies and trackers. Lokker discovered that technologies like browser fingerprinting tend to be omitted from permission tools. The quickly changing web indicates that tracker changes may not be noticed by consent programs, so users unwittingly agree to the undesired collection of information.
Besides compliance problems associated with HIPAA, a risk of Video Privacy Protection Act (VPPA) violations is noticed. 3% of healthcare providers put Meta pixel or other social network trackers on webpages that contain video players, which increases the chance of VPPA lawsuits. In 2023, over 80 lawsuits were submitted claiming VPPA violations because of using Meta pixel to collect and share video viewing information from websites with no user consent, a few of which have resulted in settlements amounting to multi-million dollars.
LOKKER’s research gives information on critical challenges that companies frequently underestimate. Unauthorized data collection by means of third-party trackers and associated technologies is much more complicated than most people realize. The web of interconnected technologies creates hundreds of web addresses that collect information that feeds the data broker market. Furthermore, the collection of data on websites and ad technology takes place in real time; present privacy tools aren’t real-time, and thus not enough to do the job. Consequently, privacy violations, lawsuits and penalties remarkably increase.