The New York State Attorney General on Wednesday announced a major new settlement around one health system’s use of privacy-violating online pixel technology.
WHY IT MATTERS
NewYork-Presbyterian Hospital will pay $300,000 for its use of third-party tools that disclosed the protected health information of people who visited its website, New York AG Letitia James said on Dec. 27.
Her office found that the health system – NYP runs 10 hospitals across New York City and the surrounding metro area, with more than 2 million patient visits each year – used advertising tech on its homepage that “collected and shared private and personal information” with third-party companies, in violation of HIPAA.
Between June 2016 and June 2022, the AG office alleged that NYP used third-party tools to track visitors to its website for marketing purposes as they researched information about various symptoms and conditions, searched for doctors, booked appointments and more.
Such tools use bits of code called tracking pixels that send data back to third-party developers when web pages loaded or users clicked links, submitted forms or searched for specific terms.
That could relay information about users’ health to these third-party companies, who also had access to their IP address, and the URL of the web page or link that was clicked.
“Several third parties received unique identifiers that had been stored on users’ devices, allowing third parties to recognize users they had previously interacted with,” AG James’ office alleges. “One of the third parties also may have received first and last name, email address, mailing address, and gender information.”
NYP lacked appropriate internal policies and procedures for vetting their third-party tracking tools, the office alleges, and did not “review or vet third-party tracking tools for violations of policy or law prior to their deployment.”
In addition to the monetary penalty, as a result of the new settlement, NYP has agreed to a series of corrective actions, said James’ office. Among them: updating their policies and procedures around third-party online tools, and doing regular audits and tests before such tools are deployed to any NYP websites or apps.
Additionally, NYP will now conduct regular reviews of the contracts, privacy policies and terms of use associated with third-party tools, and will “instruct third parties to delete any protected health information they received.”
THE LARGER TREND
The attorney general’s office pointed other healthcare providers to guidance on HIPAA and tracking technologies: the policy bulletin published by the HHS Office for Civil Rights more than a year ago, in December 2022.
That of course was in response to the initial news about potential privacy issues related to U.S. health systems’ use of pixel-tracking tools, starting with a notice of a data breach from Advocate Aurora Health in October 2022.
Before long, senators were grilling leaders from Meta and other companies about their data collection policies as the scope of use of these new tracking technologies became apparent to healthcare consumers and regulators.
Soon, other hospitals and major health systems were announcing their own pixel-related breaches – and other federal agencies were sending warnings about how the tools are being put to use.
More recently, however, hospitals have been pushing back against HHS and its privacy rules, claiming that enforcement of OCR’s regulations on pixel tracking tools would disrupt the “balance that HIPAA and its regulations strike between privacy and information-sharing.”
Meanwhile, there are still ways where pixel tracking can be used, safely and in a manner that protects privacy.
ON THE RECORD
“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James in announcing the NYP settlement on Wednesday. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data.
“NewYork-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data,” she added. “Today’s agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients’ information.”
Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.