Hospital websites fail user privacy test, have inadequate policies

Hospital website privacy and information disclosure policies are inadequate in how user information is transmitted to third parties and how hospitals use third-party tracking technologies, according to the results of a new research published in Open JAMA Network.¹

A team of researchers set out to answer the question: Do hospital websites include privacy policies that accurately disclose their use of third-party tracking technologies? by sampling 100 non-federal acute care hospitals across the US to assess their use of tracking technologies to transfer user information to third parties. They wanted to see if privacy policies were accessible and comprehensive, and conducted the policy retrieval analysis between November 2023 and January 2024.

They first assessed hospital websites (N = 100), using a random sampling technique, for the presence of tracking technologies; all of these hospitals were included in the American Hospital Association database. They then searched and identified hospital website privacy policies using standardized searches, with criteria including length and readability. They then analyzed the content of the policies with a data abstraction form and their characteristics using standard descriptive statistics. Their primary outcome of interest was website privacy policy availability, and secondary outcomes were policy length and readability, whether policies addressed user information collected by websites , potential users and third-party recipients of user information and user rights.

We distinguished between website privacy policies and Notice of Privacy Practices (NPP) documents based on their content, regardless of how they were labeled, the authors wrote. A website privacy policy is a statement that describes how a website will collect, use, share or sell data collected from users of the site, while an NPP describes how the institution will handle protected health information collected during clinical encounters and billing.

Researchers were only able to locate privacy policies on 71% (95% CI, 61.6%-79.4%) of hospital websites, although 96% (95% CI, 90 .1%-98.9%) of hospital websites had user evidence. information sent to third parties. However, of these 71 policies, 97.2% (95% CI, 91.4%-99.5%) provided a warning about the types of user information they collect, 98.6% ( 95% CI, 93.8%-99.9%) included some details about how the information collected would be used, 93% (95% CI, 85.3%-97.5%) noted the categories of third-party recipients and 56.3% (95% CI, 44.5%-67.7%) named specific third-party users.

The most common involuntary user information collected was IP address at 80.3%, and the most common voluntary contact information from 94.4%. Most policies (73.2%) also noted that the information collected would be used for marketing and advertising purposes and identified service providers (70.4%) as receiving the information. Google was the most common third-party company (49.3%).

The average length of the policy was 2527 (95% CI, 2058–2997) words, and the authors found that it was written at a college reading level. There were 90 websites for the 100 hospitals, as several hospitals shared a website because they belonged to the same health system. Fifty-eight of the hospitals were not-for-profit hospitals, 24% were public hospitals, and 18% were for-profit hospitals. The most common hospital size was small (< 100 beds, 55%), followed by large (> 500 beds, 31%) and medium (100-499 beds, 14%).

Eighty percent of the privacy policies identified also addressed user privacy rights, the 2 most common being disabling site cookies (66.2%) and changing/deleting collected information (47.9%) and 51% incorporated notice of privacy protections for special populations (children, 100%, and users with disabilities, 2.8%).

The study authors point to previous research showing that the average patient in the United States reads at an 8th grade level and more than half of individuals between the ages of 16 and 74 that 130 million people do not have full reading ability .^2.3 so they may not be aware of the privacy provisions or the lack of such long and complicated privacy policies. These are policies that often lack information about how patient and user data is provided to third parties, which are sometimes not named in these policies. Website privacy policies, the authors emphasized, should be comprehensive but still accessible, so that users can make informed decisions about their website use.

In addition to presenting risks to users, inadequate privacy policies can pose risks to hospitals, the study authors concluded. With hospitals that have website privacy policies potentially subject to federal and state oversight to ensure they communicate those policies, hospitals should carefully weigh the costs and benefits of including third-party trackers on their sites web and should remove unnecessary third parties. tracking technologies.

References

1. McCoy MS, Wu A, Burdyl A, et al. Hospital Website User Information Sharing and Privacy Policies. JAMA Netw Open. 2024;7(4):e245861. doi:10.1001/jamanetworkopen.2024.5861

2. Morony S, Flynn M, McCaffery KJ, Jansen J, Webster AC. Readability of written materials for CKD patients: a systematic review. Am J Kidney Dis. 2015;65(6):842-850. doi:10.1053/j.ajkd.2014.11.025

3. Rothwell J. Assessing the economic gains of eradicating illiteracy at the national and regional levels in the United States. Barbara Bush Foundation for Family Literacy. September 8, 2020. Accessed April 29, 2024. https://www.barbarabush.org/wp-content/uploads/2020/09/BBFoundation_GainsFromEradicatingIlliteracy_9_8.pdf