New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.
NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.
On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations. NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.
NY Attorney General Launches HIPAA Investigation
NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.
Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.
The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.
Commonly Used Website Tracking Tools Violate HIPAA
These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.
The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.
Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws
NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.
NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received. The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.
OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.
“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”
A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”
The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.