Greenwall Faculty Scholar Matthew McCoy, PhD, co-authored a study in Health Affairs that found that more than 98% of US hospital websites contained code that tracked user data—potentially including health data—in a practice that may pose privacy risks for patients. The Greenwall Foundation talked with Prof. McCoy about the research findings, the potential implications for policy, and public interest in the issue. The interview has been edited for clarity and brevity.
Can you tell us more about the tracking technology you
studied and what you found?
A tracking technology is a piece of code that’s embedded on a website that captures information about how its visitors interact with the content, and it sends that information to a third party, who can use that information virtually however they want—there are not many legal regulations on it. The main purpose of tracking is for third parties to collect this information, build up a detailed picture of things like your interests, your health conditions, or your habits, and then use that information to send you targeted advertising for products that their clients want you to buy.
Previous work on this topic had looked at particular hospital systems or particular tracking technologies. We thought we could add value by asking what this looks like across the entire hospital ecosystem. What we discovered with this study is that the practice isn’t something that just a couple of bad actors are doing. It’s ubiquitous—essentially, every US hospital whose website you would visit is doing this sort of tracking.
Were you surprised by those findings?
I would not have been surprised if there were one or two trackers on most hospital websites. But we found that hospital websites were initiating a median of 16 distinct data transfers out to third parties. [We would tend to hope that] hospital leaders are more sensitive than [other] business leaders when it comes to issues of consumer privacy, so I expected them to do much better. I think it would come as a total shock to most patients using hospital websites, which is part of the motivation for why we want to continue to call attention to this practice. If they knew what was happening, they would probably be quite concerned about it.
This research has garnered substantial press coverage. Why do you think that is?
There’ve been some recent legal developments that have raised the stakes around this practice. One is a wave class action lawsuits by patients against hospitals for this sort of tracking. Mass General Brigham, for example, recently agreed to an $18 million settlement with a class of plaintiffs who brought suit for exposing them to this kind of tracking without proper consent.
Additionally, the Office for Civil Rights—the body that’s responsible for enforcing HIPAA—recently published a bulletin essentially saying it’s their opinion that a lot of these tracking technologies, which are routinely used on covered entities’ websites, may be transferring protected health information to the tracking vendors. If that is indeed the case, there may be widespread HIPAA violations.
What impact do you hope this work has?
So many problems in healthcare are recognizable but not immediately tractable, perhaps because they involve policy changes or economic interests that have to be traded off one against another. This is different, because the only reason that these tracking technologies are on hospital websites is because web administrators in those hospital systems have allowed them to be there. The tracking may help the hospitals run some part of their business, but I suspect they don’t really appreciate the long-term implications for patient privacy, and, increasingly, legal implications for their institutions.
If [the hospitals] are sufficiently motivated by studies like this, there’s no reason that they can’t all go to their websites and see what tracking technologies they’re using right now. They don’t need Congress to pass a law, or HHS to issue guidance. They can say, “sure, we like the tracking metrics that we get from this tool. But when we think seriously about what it’s costing our patients in terms of our privacy, we can get this off the website yesterday.” At the very least, I believe they should make [their use of trackers] totally explicit in their privacy policies.