Widespread Third-Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals

Abstract

Computer code that transfers data to third parties (third-party tracking) is common across the web and is subject to few federal privacy regulations. We determined the presence of potentially privacy-compromising data transfers to third parties on a census of US nonfederal acute care hospital websites, and we used descriptive statistics and regression analyses to determine the hospital characteristics associated with a greater number of third-party data transfers. We found that third-party tracking is present on 98.6percent of hospital websites, including transfers to large technology companies, social media companies, advertising firms, and data brokers. Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses. By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties. These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.