Hospital Websites Fail User Privacy Test, Have Inadequate Policies

Hospital website privacy policies and information disclosure are inadequate concerning how user information is transmitted to third parties and how the hospitals use third-party tracking technologies, according to the findings of a new investigation published in JAMA Network Open.¹

A team of investigators set out to answer the question, “Do hospital websites include privacy policies that accurately disclose their use of third-party tracking technologies?” by sampling 100 nonfederal acute care hospitals from across the US to assess their use of tracking technologies to transfer user information to third parties. They wanted to see if the privacy policies were accessible and comprehensive, and conducted their policy retrieval analysis between November 2023 and January 2024.

They first evaluated hospital websites (N = 100), using a random sampling technique, for the presence of tracking technologies; all of these hospitals were listed in the American Hospital Association database. Next, they searched for and identified hospital website privacy policies via standardized searches, with criteria that included their length and readability. They then analyzed the policies’ content with a data abstraction form and their characteristics via standard descriptive statistics. Their primary outcome of interest was website privacy policy availability, and secondary outcomes were policy length and readability, if the policies addressed user information collected by the websites, potential users of and third-party recipients of user information, and user rights.

In this investigation, IP address and contact information were the most common involuntary and voluntary information, respectively, collected on hospital websites | Image credit: oatawa - stock.adobe.com

“We distinguished between website privacy policies and notice of privacy practice (NPP) documents according to their content, regardless of how they were labeled,” the authors wrote. “A website privacy policy is a statement that describes how a website will collect, use, share, or sell data collected from users of the site, whereas an NPP describes how the institution will handle protected health information collected during clinical encounters and billing.”

The investigators were only able to locate privacy policies on 71% (95% CI, 61.6%-79.4%) of the hospital websites, despite 96% (95% CI, 90.1%-98.9%) of the hospital websites having evidence of user information sent to third parties. Among these 71 policies, however, 97.2% (95% CI, 91.4%-99.5%) did provide notice of the types of user information they collect, 98.6% (95% CI, 93.8%-99.9%) included some detail on how collected information would be used, 93% (95% CI, 85.3%-97.5%) noted the categories of third-party recipients, and 56.3% (95% CI, 44.5%-67.7%) named specific third-party users.

The most common involuntary user information collected was IP address by 80.3%, and the most common voluntary contact information from 94.4%. Most policies (73.2%) also noted the collected information would be used for marketing and advertising purposes and identified service providers (70.4%) as receiving the information. Google was the most common third-party company (49.3%).

Mean policy length was 2527 (95% CI, 2058-2997) words, and the authors found they were written at a college reading level. There were 90 websites for the 100 hospitals, due to several of the hospitals sharing a website because they belonged to the same health system. Fifty-eight of the hospitals were nonprofit hospitals, 24% were public hospitals, and 18% were for-profit hospitals. The most common hospital size was small (< 100 beds, 55%), followed by large (> 500 beds, 31%) and medium (100-499 beds, 14%).

Eighty percent of the identified privacy polices also addressed user privacy rights—the 2 most common were disabling site cookies (66.2%) and changing/deleting information collected (47.9%)—and 51% incorporated notice of privacy protections for special populations (children, 100%, and users with disability, 2.8%).

The study authors point to previous research that shows the average patient in the US reads at a grade 8 level and more than half of individuals aged 16 to 74 years—that’s 130 million people—lack comprehensive reading ability,^2,3 so they might not be aware of privacy provisions—or lack thereof—in lengthy, complicated privacy policies. These are policies that often lack information on how patient and user data are supplied to third parties, who sometimes are not named in said policies. Website privacy policies, the authors stressed, need to be comprehensive but still accessible, so users can make informed decisions about their website use.

“In addition to presenting risks for users, inadequate privacy policies may pose risks for hospitals,” the study authors concluded. With hospitals that have website privacy policies potentially being subject to federal and state oversight meant to ensure they walk the talk of those policies, “hospitals should carefully weigh the costs and benefits of including third-party trackers on their websites and should eliminate unnecessary third-party tracking technologies.”

References

1. McCoy MS, Wu A, Burdyl A, et al. User information sharing and hospital website privacy policies. JAMA Netw Open. 2024;7(4):e245861. doi:10.1001/jamanetworkopen.2024.5861

2. Morony S, Flynn M, McCaffery KJ, Jansen J, Webster AC. Readability of written materials for CKD patients: a systematic review. Am J Kidney Dis. 2015;65(6):842-850. doi:10.1053/j.ajkd.2014.11.025

3. Rothwell J. Assessing the economic gains of eradicating illiteracy nationally and regionally in the United States. Barbara Bush Foundation for Family Literacy. September 8, 2020. Accessed April 29, 2024. https://www.barbarabush.org/wp-content/uploads/2020/09/BBFoundation_GainsFromEradicatingIlliteracy_9_8.pdf