ֱ

Are Hospital Websites Upfront About User Privacy and Data Sharing?

— New study finds many hospitals don't have privacy policies on their websites

MedpageToday
A close up photo of the Data Policy portion of a website.

Nearly all hospital websites transferred user information to third parties, and almost one-third did not have a privacy policy, an analysis of hospital websites showed.

Of the 100 hospital websites analyzed, 96 transferred user information to third parties, but only 71 had privacy policies listed, researchers led by Matthew McCoy, PhD, of the department of medical ethics and health policy at the University of Pennsylvania in Philadelphia, reported in .

Using the American Hospital Association database, researchers identified all nonfederal acute care hospitals and their websites. Among them, they selected 100 hospitals for analysis with simple random sampling. The privacy policies were assessed by two reviewers, who each searched the site for a privacy policy using several search methods.

"If we couldn't locate the privacy policy using this pretty rigorous approach, it's doubtful that the average user of these hospital websites could locate a privacy policy," McCoy told ֱ. "So the fact that about 30% of these hospitals didn't even have a privacy policy that we could find was, I think, pretty concerning."

While many patients don't read the privacy policies, they're still important to have, the authors said.

"Because hospitals risk regulatory scrutiny or civil lawsuits if they fail to adhere to the terms of their privacy policies, privacy policies can provide a mechanism for holding hospitals accountable for commitments to protect user privacy," they wrote. Plus, the policies make it possible to identify discrepancies between what a hospital says its privacy policy is and what it actually does.

In terms of third-party tracking tools, "hospitals need to really be reconsidering their use of these technologies and determining whether or not they're really central to the operation of their website," McCoy said. "If they are going to use them, though, I do think it's important that they adequately disclose all the different third parties that they're transferring data to in their privacy policies."

Last year, many of the same co-authors that found nearly all hospital websites use some form of tracking technologies with connection to third-parties. In recent years, some major health systems were sued for selling patient data to Meta. Washington state passed a bill last year with robust patient protections for health data.

McCoy said the goal of the study was to ask "to what extent are the privacy risks involved in the use of these technologies disclosed to hospital website users via their privacy policies?"

McCoy and team found third-party cookies on 86% of websites. On average, privacy policies were 2,527 words and were written at a 13.7 on the Flesch-Kincaid Grade Level.

Most of the policies addressed the types of user information automatically collected by the website (69 of 71), how the information would be used (70 of 71), and the categories of third-party recipients (66 of 71). However, far fewer actually named the specific third-party companies or services that got that information (40 of 71).

Ultimately, the authors concluded that a "substantial number of hospital websites did not present users with adequate information about the privacy implications of website use, either because they lacked a privacy policy or had a privacy policy that contained limited content about third-party recipients of user information."

Researchers used the tool webXray to detect third-party tracking codes on hospital webpages and recorded the number of cookies and third-party data requests on each page. Data requests initiate transfers of a user's IP address and page URL to a third party. The researchers also manually double checked the tools' work on 30 websites.

A website privacy policy was defined in the paper as "a statement that describes how a website will collect, use, share, or sell data collected from users of the site," which is different from notice of privacy practice, which "describes how the institution will handle protected health information collected during clinical encounters and billing."

The authors noted a few limitations, including that manual search strategies might have missed some website privacy policies, that other readability measures might have scored websites differently, and that they couldn't determine the extent that hospitals abide by key provisions in their policies.

  • author['full_name']

    Rachael Robertson is a writer on the ֱ enterprise and investigative team, also covering OB/GYN news. Her print, data, and audio stories have appeared in Everyday Health, Gizmodo, the Bronx Times, and multiple podcasts.

Disclosures

McCoy reported being an unpaid member of the University of Pennsylvania's Data Ethics Working Group, which was partially funded by a gift from Deloitte to the University of Pennsylvania.

Other authors reported receiving grants from the National Institute on Aging.

Primary Source

JAMA Network Open

McCoy MS, et al "User information sharing and hospital website privacy policies" JAMA Netw Open 2024; DOI: 10.1001/jamanetworkopen.2024.5861.