Summarize the issue/topic that you are reporting (think about the WHO, WHAT, WHERE, WHEN, WHY, and HOW aspects, as applicable)
How does this impact healthcare services? What implications are there, if any?
Add your personal insights and thoughts. How does the issue impact your thinking? Does it align with what you know or have learned so far? What questions are left unanswered? What do you want to explore further? University Library –Interlibrary Loan Department — Room 109
Email: interlibrary.loan@csun.edu — Phone: (818)677-2294
To provide the fastest service, many documents are delivered to you
automatically without staff intervention.
If there are any problems with this document such as missing or illegible pages,
please provide specific details within 7 days of receipt so that we may contact the
providing institution to obtain a better copy for you.
WARNING CONCERNING COPYRIGHT RESTRICTIONS
The copyright law of the United States (Title 17, United States
Code) governs the making of photocopies or other reproductions
of copyrighted materials, under certain conditions specified in the
law, libraries and archives are authorized to furnish a photocopy
or other reproduction. One of these specified conditions is that
the photocopy or reproduction is not to be “used for any purpose
other than private study, scholarship, or research”. If a user makes
a request for, or later uses, a photocopy or reproduction for
purposes in excess of “fair use”, that user may be liable for
copyright infringement, This Institution reserves the right to
refuse to accept a copying order if, in its judgment, fulfillment of
the order would involve violation of copyright law.
Hospitals
doi: 10.1377/hlthaff.2022.01205
HEALTH AFFAIRS 42,
NO. 4 (2023): 508–515
©2023 Project HOPE—
The People-to-People Health
Foundation, Inc.
Ari B. Friedman (arib@alumni
.upenn.edu), University of
Pennsylvania, Philadelphia,
Pennsylvania.
Raina M. Merchant, University
of Pennsylvania.
Amey Maley, University of
Pennsylvania.
Karim Farhat, University of
Pennsylvania.
Kristen Smith, University of
Pennsylvania.
Jackson Felkins, University of
Pennsylvania.
Rachel E. Gonzales, University
of Pennsylvania.
Lujo Bauer, Carnegie Mellon
University, Pittsburgh,
Pennsylvania.
Matthew S. McCoy, University
of Pennsylvania.
By Ari B. Friedman, Raina M. Merchant, Amey Maley, Karim Farhat, Kristen Smith, Jackson Felkins,
Rachel E. Gonzales, Lujo Bauer, and Matthew S. McCoy
Widespread Third-Party Tracking
On Hospital Websites Poses
Privacy Risks For Patients And
Legal Liability For Hospitals
ABSTRACT Computer code that transfers data to third parties (third-party
tracking) is common across the web and is subject to few federal privacy
regulations. We determined the presence of potentially privacycompromising data transfers to third parties on a census of US
nonfederal acute care hospital websites, and we used descriptive statistics
and regression analyses to determine the hospital characteristics
associated with a greater number of third-party data transfers. We found
that third-party tracking is present on 98.6 percent of hospital websites,
including transfers to large technology companies, social media
companies, advertising firms, and data brokers. Hospitals in health
systems, hospitals with a medical school affiliation, and hospitals serving
more urban patient populations all exposed visitors to higher levels of
tracking in adjusted analyses. By including third-party tracking code on
their websites, hospitals are facilitating the profiling of their patients by
third parties. These practices can lead to dignitary harms, which occur
when third parties gain access to sensitive health information that a
person would not wish to share. These practices may also lead to
increased health-related advertising that targets patients, as well as to
legal liability for hospitals.
I
n 2021 Mass General Brigham and the
Dana-Farber Cancer Institute agreed to
an $18 million settlement with a group
of plaintiffs who claimed that the hospital networks had violated their privacy.1
Notably, the case did not involve medical records, personal health information, security
breaches, or unauthorized use of patients’ financial information. Rather, the plaintiffs alleged
that the hospital networks had not obtained sufficient consent when using third-party tracking
tools—including cookies and tracking pixels—
on the networks’ publicly accessible websites.
The plaintiffs’ charges reflect growing concern
about the privacy risks raised by third-party
tracking, particularly on websites where visitors’
508
Health Affairs
A p r i l 2 0 23
browsing behavior may reveal sensitive information about their or their family members’ health
conditions to advertisers, data brokers, and other companies that seek to monetize it.2–4 Thirdparty tracking code is typically installed by website maintainers to add functionality such as
advertisement campaign monitoring or social
media linkage.5 However, health systems might
not fully appreciate the privacy implications of
the code,6 which allows third parties not subject
to the Health Insurance Portability and Accountability Act (HIPAA) to observe people’s browsing
behavior across hospital websites.7–9
Although prior research has shown that thirdparty tracking is prevalent across a range of
health-related websites,10–12 little is known about
42:4
Downloaded from HealthAffairs.org on April 21, 2023.
Copyright Project HOPE—The People-to-People Health Foundation, Inc.
For personal use only. All rights reserved. Reuse permissions at HealthAffairs.org.
the prevalence, quantity, and characteristics of
third-party tracking on hospital websites, despite the fact that for many patients, these websites are an essential point of contact to the
health system. Joshua Niforatos and colleagues
recently assessed third-party tracking on the
websites of sixty-one hospitals and found that
90 percent included at least one third-party cookie.13 However, their study was limited to the largest and highest-ranked hospitals and did not
assess for differences across hospital characteristics or the types of third parties to which data
were transferred. A recent investigation conducted by STAT and The MarkUp found that the
websites of thirty-three of Newsweek’s top 100
hospitals transferred data to Facebook, but the
investigation did not include hospitals outside
this group, nor did it detail other third-party data
recipients.14
In this analysis we aimed to assess the prevalence and quantity of third-party tracking across
the website home pages of all US acute care hospitals. Our secondary aims were to identify hospital characteristics associated with higher levels
of tracking and to assess whether third-party
tracking varied between hospital website home
pages and patient-facing web pages that contain
information about potentially sensitive health
conditions.
Study Data And Methods
Design We conducted a cross-sectional, prospective, observational study evaluating third-party
tracking on US hospital websites. Third-party
tracking was assessed on a rolling basis over a
three-day period (August 5–8, 2021).
Study Population We studied all US hospitals (N ¼ 6,162) included in the 2019 American
Hospital Association (AHA) Annual Survey. The
AHA Annual Survey is the canonical source for
information on US hospitals and has a more than
90 percent response rate. Our primary analysis
consisted of nonfederal acute care hospitals in
the US and US territories, stratified according to
the populations they serve. Consistent with prior
studies, we defined nonfederal acute care hospitals as those that had an emergency department;
were not a freestanding long-term care facility or
an ambulatory surgical center; and were not under military, Indian Health Service, or other
federal control.15,16
Hospital URLs To obtain hospital website
home page URLs, we employed a distributed
search strategy using Amazon Mechanical Turk,
with manual verification by two study authors
(Karim Farhat and Amey Maley). For each hospital, three Amazon Mechanical Turk workers
were provided the name of the hospital and its
physical address, as listed in the AHA database,
and asked to perform a Google search for the
URL of the homepage of each hospital. If all three
workers provided the same URL or agreed that
the hospital had no website, the result was immediately accepted (n ¼ 2,534). For the remaining cases (n ¼ 3,628), a study author (Farhat or
Maley) manually reviewed and selected the correct URL or confirmed that the hospital had no
website.
Some hospitals shared a website, as they were
a part of a larger health system. In these cases,
the health system home pages were accepted as
valid hospital URLs.
Hospital Characteristics We obtained hospital characteristics from the AHA database and
the Census Bureau’s American Community Survey (ACS). The AHA database provided information on hospital name and address, health system membership, ownership type (nonprofit
versus for profit), number of beds, presence of
an emergency department, and medical school
affiliation reported to the AMA.
We used the 2019 five-year ACS to compile data
on race, ethnicity, and population size for ZIP
Code Tabulation Areas. Rural-urban commuting
area codes from the 2010 census were used to
assign an urbanicity score to each of a hospital
service area’s (HSA’s) constituent ZIP codes, as
defined in the Dartmouth Atlas of Health Care.
HSAs constitute a geographic area in which residents receive most of their hospitalizations
from the hospitals in that area, and they therefore serve as a proxy for where a resident in a
particular ZIP code would most likely seek treatment. Metropolitan and micropolitan areas were
categorized as urban, with all other areas being
considered rural. If an HSA consisted of both
rural and urban ZIP codes, it was classified as
urban. ACS ZIP code data were then aggregated
into HSAs by taking the average data of all ZIP
codes in a given HSA.
We defined rural hospitals as those having a
rural population percentage value in the top decile of all hospitals. We defined poverty-serving
hospitals as those having a percentage of patient
population living in poverty in the top decile.
We defined historically disadvantaged minorityserving hospitals as those with a Black or Hispanic patient population percentage in the top
decile, excluding Native American and other
populations from this calculation because of a
lack of available data.
Third-Party Tracking To assess the amount
and type of third-party tracking on each hospital’s home page, we visited each web page using
webXray, an open-source, automated tool designed to record third-party tracking, which has
previously been used in academic studies.10,11,17
April 2023
Downloaded from HealthAffairs.org on April 21, 2023.
Copyright Project HOPE—The People-to-People Health Foundation, Inc.
For personal use only. All rights reserved. Reuse permissions at HealthAffairs.org.
42:4
H e a lt h A f fai r s
509
Hospitals
For each web page we recorded data requests that
initiated data transfers to third-party domains.
Transfers typically occur when the web page
loads and include a user’s IP address and the
URL of the web page being visited. We also recorded the presence of cookies—small pieces of
data stored on a user’s browser that serve as
persistent identifiers—allowing users to be
tracked across multiple websites. We used the
webXray database to link individual tracking domains to their parent companies (for example,
doubleclick.net was determined to be owned by
Google, which is owned by Alphabet).
To assess whether tracking differed between
hospital home pages and condition-specific web
pages within a hospital website, we selected 100
hospitals via simple random sampling and conducted a structured search of their websites. One
author (Jackson Felkins) used each hospital
website’s own search engine to locate web pages
covering six conditions that may reveal sensitive
information about users by searching for the
following terms: “Alzheimer’s,” “breast cancer,”
“congestive heart failure,” “Crohn’s disease,”
“depression,” and “HIV.” We recorded the URL
for the first patient-facing web page returned in
the search results. Using webXray, we visited the
condition-specific URLs and the same hospitals’
home pages and recorded all third-party data
requests.
Statistical Analysis We calculated the percentage of hospital home pages with any thirdparty data transfer and any third-party cookie,
both overall and by hospital type. Our primary
outcome measure was the number of third-party
transfers on hospital home pages. The number of
third-party transfers has important implications
for users’ privacy because it directly captures the
scale of dignitary harms that people suffer when
third parties gain access to their sensitive health
information7 and because it correlates with the
probability of data resale or targeted advertisement. We calculated the median number and
interquartile range of third-party transfers per
hospital home page and used the nonparametric
equality-of-medians test to examine whether the
number of third-party transfers differed by hospital characteristics.We used medians and correlation coefficients to compare tracking between
condition-specific pages and hospital home pages. In adjusted analyses, we used linear regression with clustering by health system, with the
number of third-party transfers as the dependent
variable and with the following independent variables: hospital size, region, ownership type, system membership, medical school affiliation, location (rural versus urban), poverty serving, and
minority serving. Sensitivity analyses explored
additional definitions of medical school affilia510
Health Affairs
A p r i l 20 2 3
Hospitals have a
responsibility to
protect patients from
unnecessary risks,
including risks to
their privacy.
tion. The variance inflation factor identified no
covariates with multicollinearity.
Statistical analysis was conducted using Stata
IC, version 16.1. All hypothesis tests were two
tailed, using an α level of 0.05. As this study used
publicly available data, it was considered exempt
from Institutional Review Board review.
Limitations This study had limitations. First,
we investigated only two modes of tracking: data
transfers to third-party domains and third-party
cookies. Because other modes of tracking exist,
such as browser fingerprinting, we likely underestimated the extent of third-party tracking on
hospital home pages. Second, we were unable to
assess tracking on password-protected sections
of hospital websites, including patient portals.
Third, we could not differentiate between uses of
the data once transferred. However, although
some third parties use data transfers to provide
a service without using those data for other purposes, such as targeted advertising or resale, the
majority are known to use the data, including on
hospital pages.14 Fourth, to assess whether tracking differed between hospital home pages and
condition-specific pages, we analyzed a subset of
hospital websites with patient-facing web pages
for six specific conditions. Hospitals with such
web pages may differ from those without them.
Finally, we did not assess longitudinal trends in
tracking because of data limitations.
Study Results
We identified 3,747 nonfederal acute care hospitals with accessible websites, as shown in online
appendix exhibit S1.18 Overall, 98.6 percent of
hospital website home pages had at least one
third-party data transfer, whereas 94.3 percent
had at least one third-party cookie (exhibit 1).
Alphabet (the parent company of Google) was
the most common tracking entity among all hospitals in the sample, with 98.5 percent of all
home pages reporting third-party transfers to
42:4
Downloaded from HealthAffairs.org on April 21, 2023.
Copyright Project HOPE—The People-to-People Health Foundation, Inc.
For personal use only. All rights reserved. Reuse permissions at HealthAffairs.org.
this entity. Other common third-party entities
included Meta (55.6 percent), Adobe Systems
(31.4 percent), and AT&T (24.6 percent). The
twenty-five most prevalent third-party entities
are reported in exhibit 2. Data transfers to
third-party domains whose parent company
could not be identified were present on 69.0 percent of home pages.
Overall, hospital website home pages had a
median of sixteen third-party transfers. The median number of third-party transfers per home
page differed across hospital characteristics in
unadjusted analyses (exhibit 3 and appendix
exhibit S2).18 Medium-size hospitals had a significantly higher median number of third-party
transfers (twenty-four) compared with both
small (seventeen) and large (thirteen) hospitals.
Nonprofit hospitals had a greater median number of third-party transfers (twenty-two) than
both public (eleven) and for-profit (thirteen)
hospitals. Hospitals in a health system had a
greater number of third-party transfers than independent hospitals (median, twenty-one versus
ten), whereas hospitals with a medical school
affiliation had a greater number of third-party
transfers than those without an affiliation (median, twenty versus fifteen). Urban hospitals had
a greater number of third-party transfers than
rural hospitals (median, seventeen versus eleven). Finally, non-poverty-serving hospitals had a
greater number of third-party transfers than poverty-serving hospitals (median, seventeen versus
thirteen). Compared to hospitals with any thirdparty data transfers, the small number (fifty-two,
1.4 percent) of hospitals on whose websites we
did not observe third-party transfers were substantially (at least 10 percentage points) less likely to be part of a system, to have an academic
affiliation, and to be nonprofit and more likely to
be poverty serving, minority serving, and public
(see appendix exhibit S3).18
In multivariate regression analysis, several
factors were associated with a significantly greater number of third-party transfers on hospital
website home pages (exhibit 4). Membership
in a health system was associated with an increase of 10.0 third-party transfers compared
with non–system membership (p < 0:001). Having a primarily urban patient population was
associated with an average of 3.6 more thirdparty transfers (p < 0:001). Finally, having a
medical school affiliation was associated with
1.8 more third-party transfers after adjustment
(p < 0:05). Results from sensitivity analyses are
in appendix exhibit S4.18
Our manual search of 100 randomly sampled
hospital websites for patient-facing pages related to six potentially sensitive conditions yielded
thirty websites that had patient-facing pages for
Exhibit 1
Descriptive characteristics of nonfederal acute care US hospitals (2019) and frequency of
third-party tracking tools on hospital websites (2021)
Hospitals
Hospital websites with:
Characteristics
Number
Percent
Third-party
transfer
Third-party
cookie
Overall
Sizea
Small (fewer than 100 beds)
Medium (100–499 beds)
Large (500 or more beds)
3,747
100.0
98.6%
94.3%
1,814
694
1,239
48.4
18.5
33.1
98.7
99.3
98.1
94.2
98.9
91.9
Region
Northeast
Midwest
South
West
Puerto Rico
452
816
1,657
774
48
12.1
21.8
44.2
20.7
1.3
99.6
98.7
98.4
98.6
95.8
95.8
93.8
94.2
95.1
81.3
Ownership
For profit
Not for profit
Public
Unknown
754
2,275
714
4
20.1
60.7
19.1
0.1
98.5
99.0
97.5
100.0
93.0
96.7
88.2
50.0
2,434
1,313
65.0
35.0
99.5
97.0
97.4
88.6
1,199
2,548
32.0
68.0
99.4
98.2
97.5
92.8
System membershipb
Part of a system
Not part of a system
Medical school affiliation
Yes
No
Location
Ruralc
Urban
Poverty servingd
Yes
No
646
3,101
17.2
82.8
97.8
98.8
90.1
95.2
398
3,349
10.6
89.4
97.0
98.8
91.7
94.6
Minority servinge
Yes
No
695
3,052
18.6
81.5
97.7
98.8
92.1
94.8
SOURCE Authors’ analysis of hospital website home pages, with tracking assessed via the webXray
tool, August 2021; and hospital characteristics from the American Hospital Association (AHA) Annual
Survey, 2019. aTotal number of general medical and surgical beds. bDefined as hospitals with a listed
system name in the AHA database. cDefined as having a rural population percentage value in the top
decile of all hospitals. dDefined as hospitals with a percentage of patient population living in poverty
in the top decile. eDefined as hospitals with a Black or Hispanic patient population percentage in the
top decile.
all six conditions. Across these thirty websites,
100 percent of condition-specific pages had at
least one third-party data transfer. The number
of third-party transfers was similar between condition-specific pages and the hospitals’ home
pages, with a median of 18–22 third-party transfers per condition-specific page compared with a
median of 22 per home page. The amount of
tracking on condition-specific pages was highly
correlated with tracking on the home page of the
same hospital, with condition-specific correlation coefficients ranging from 0.87 to 0.95
(see appendix exhibit S5).18
A p r i l 20 2 3
Downloaded from HealthAffairs.org on April 21, 2023.
Copyright Project HOPE—The People-to-People Health Foundation, Inc.
For personal use only. All rights reserved. Reuse permissions at HealthAffairs.org.
4 2 :4
Health A ffairs
511
Hospitals
Exhibit 2
Number of US hospital websites transferring data to a given tracking entity parent
company, 2021
Parent companies
Number
Percent
Alphabeta
3,691
98.5
Metab
Adobe Systems
2,083
1,177
55.6
31.4
AT&T
922
24.6
The Trade Desk
Oracle
813
802
21.7
21.4
Verizon
791
21.1
Rubicon Project
Amazon
712
689
19.0
18.4
Microsoft
671
17.9
Hotjar
StackPath
629
596
16.8
15.9
Siteimprove
592
15.8
Cloudflare
Acxiom
592
551
15.8
14.7
Salesforce
543
14.5
Telenor
Nielsen Online
532
476
14.2
12.7
Lotame
446
11.9
Fonticons
446
11.9
JS Foundation
Crazy Egg
420
408
11.2
10.9
Golden Gate Capital
408
10.9
Drawbridge
386
10.3
SOURCE Authors’ analysis of hospital website home pages, with tracking assessed via the webXray
tool, August 2021. NOTE Of these hospital website home pages, 2,585 pages (69.0 percent)
transferred third-party data to at least one domain whose parent entity could not be identified
in the webXray database. aParent company of Google. bParent company of Facebook.
Discussion
Our results demonstrate that across the websites
of 3,747 nonfederal acute care hospitals in the
US, third-party tracking is ubiquitous and extensive, with hospital website home pages initiating
a median of sixteen third-party data transfers.
Hospital websites transfer data to numerous
third parties, including some of the largest technology and social media companies, advertising
firms, and data brokers. In addition, our analysis
of a random sample of hospital websites revealed
no substantial difference between the amount of
third-party tracking on hospital home pages and
condition-specific web pages.
Thus, despite being subject to HIPAA’s stringent privacy measures for protected health information, nearly all hospitals allow third parties
to capture data about how patients and other
users navigate their websites. A recent investigative report revealed that in some instances, data
transfers from hospital websites to third parties
may include protected health information re512
Health Affairs
A p r i l 20 2 3
garding patients’ prescriptions and doctor appointments and, hence, constitute HIPAA violations.14 Our analysis suggests that if this
phenomenon occurs across even a small proportion of third-party data transfers on hospital
websites, many patients may be exposed to such
violations.
In addition, a December 2022 bulletin issued
by the Department of Health and Human Services (HHS) Office for Civil Rights clarified that
HIPAA rules apply even to regulated entities’
unauthenticated web pages, including web pages
“with general information about the regulated
entity like their location [or] services they provide.”19 The bulletin notes, for example, that including tracking code that collects a person’s IP
address on an “unauthenticated webpage that
addresses specific symptoms or health conditions” would constitute the disclosure of protected health information to the tracking technology vendor. This guidance implies that
HIPAA rules would apply to a potentially vast
number of third-party data transfers on hospital
websites.
We found that hospitals in health systems,
hospitals with a medical school affiliation, and
hospitals serving more urban patient populations all exposed website visitors to more thirdparty data transfers. Although further research is
needed to examine the causes of this discrepancy, it may be influenced by multiple factors.
These hospitals may strive to include more features on their websites, and the additional tracking is a product of including third-party functionality, such as embedding a Google Maps
product onto a site. Alternatively, these hospitals
may engage in higher levels of online advertising
to drive revenues, and the third-party tracking is
a consequence of the perceived need to monitor
these adverting campaigns by installing tracking tools.
The high number of entities engaged in tracking on hospital websites heightens potential privacy risks to patients. Many of the third parties to
which data are transferred have business models
built on identifying and tracking people for the
purposes of targeting online advertisements. Alphabet does not sell data to third parties but,
rather, allows targeted advertising through profiles, including the targeted promotion of prescription drugs. Less prevalent tracking entities
are more varied in their policies and purposes,
including tracking companies that sell their data
on to third parties (for example, Acxiom)20 or
allow health-related profiling (for example, Adobe and Oracle).21,22 These practices have led to
lists of patients with particular disease types and
their information, including their telephone
numbers and home addresses, being available
42:4
Downloaded from HealthAffairs.org on April 21, 2023.
Copyright Project HOPE—The People-to-People Health Foundation, Inc.
For personal use only. All rights reserved. Reuse permissions at HealthAffairs.org.
Exhibit 3
Number of third-party data transfers per website (2021), by 2019 hospital characteristics
Hospitals
Number of third-party transfers
p value
Characteristics
Number
Percent
Median
IQR
Overall
3,747
100.0
16
10, 29
1,814
694
1,239
48.4
18.5
33.1
17
24
13
10, 30
15, 36
7, 22
452
816
1,657
774
48
12.1
21.8
44.2
20.7
1.3
19
15
16
16
5
12, 32
8, 28
10, 30
9, 31
4, 10
754
2,275
714
4
20.1
60.7
19.1
0.1
13
22
11
3.5
10, 17
12, 36
6, 19
2, 6.5
2,434
1,313
65.0
35.0
21
10
13, 35
5, 17
Medical school affiliation
Yes
No
1,199
2,548
32.0
68.0
20
15
12, 34
8, 27
Location
Rural
Urban
646
3,101
17.2
82.8
11
17
6, 21
11, 31
Poverty serving
Yes
No
398
3,349
10.6
89.4
13
17
8, 25
10, 30
Minority serving
Yes
No
695
3,052
18.6
81.5
16
16
9, 28
10, 30
Size
Small (fewer than 100 beds)
Medium (100–499 beds)
Large (500 or more beds)
Region
Northeast
Midwest
South
West
Puerto Rico
Ownership
For profit
Not for profit
Public
Unknown
System membership
Yes
No
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
