Subscribe
Share
Share
Embed
Each week, Health Affairs' Rob Lott brings you in-depth conversations with leading researchers and influencers shaping the big ideas in health policy and the health care industry.
A Health Podyssey goes beyond the pages of the health policy journal Health Affairs to tell stories behind the research and share policy implications. Learn how academics and economists frame their research questions and journey to the intersection of health, health care, and policy. Health policy nerds rejoice! This podcast is for you.
00;00;00;03 - 00;00;25;22
Alan Weil
Hello and welcome to “A Health Podyssey”. I'm your host, Alan Weil. It seems you can't go to a website these days without being asked to click on one of various buttons regarding the cookies they're going to collect. And of course you can't go to the doctor or any other health care provider without signing a bunch of HIPAA forms that tell you how your data are going to be used.
00;00;26;05 - 00;00;51;23
Alan Weil
But we occasionally read of data breaches or egregious misuse of data, but at least for someone like me, it's hard to navigate this terrain. What are the risks? What choices should I be making? How does the health sector intersect with the massive amount of seemingly anonymous data collection that's undertaken by major technology companies? That's the topic of today's episode of “A Health Podyssey”.
00;00;52;10 - 00;01;18;28
Alan Weil
I'm here with Matthew McCoy, assistant professor of medical ethics and health policy at the University of Pennsylvania. Dr. McCoy and coauthors published a paper in the April 2023 issue of Health Affairs, examining third party data tracking on hospital website home pages. They found that almost all of these websites feature third party data tracking with large amounts of data transfer from these websites to other locations.
00;01;19;05 - 00;01;25;24
Alan Weil
We'll discuss these findings and their implications in today's episode. Dr. McCoy, welcome to the program.
00;01;26;15 - 00;01;27;13
Dr. Matthew McCoy
Thank you for having me on.
00;01;28;24 - 00;01;48;14
Alan Weil
This is a topic that, you know, every time I touch it, I'm like, boy, there is so much I don't know. So I'm going to assume that at least some of our listeners are at the same place I am. Can you just start with some of the basics, when you're studying third party tracking, what is that and why would it exist on a hospital website?
00;01;49;05 - 00;02;18;25
Dr. Matthew McCoy
So the most basic level, a third party tracking technology is a code or a script that's inserted into a website, and it captures information about how an individual uses that website. So what pages they look at, how long they look at them, what links they click on, and it transfers that information to a third party. And as you mentioned in your introduction, I think most of us who use the web are vaguely aware of this phenomenon of tracking because we see these sorts of cookie notices pop up and ask us to consent.
00;02;19;12 - 00;02;35;00
Dr. Matthew McCoy
But I think it's important to say that these technologies are designed to be sort of invisible to users. They operate in the background so that while you're browsing a website, information about that is sort of surreptitiously being transferred to third parties who are getting a record of what you're doing on that website.
00;02;36;14 - 00;02;42;15
Alan Weil
So why would a hospital website want to have cookies or tracking like this?
00;02;42;15 - 00;03;13;23
Dr. Matthew McCoy
Yeah, so hospitals, like most institutions who install these kinds of tools on their website, they do it primarily because they want access to the services and the functionality that a third party tracking vendors provide them. So that might be things like website analytics so they can understand who's coming to their website, what kind of links they're most interested in clicking on; might be things like monitoring the performance of advertising campaigns so they can see whether or not advertisements that they have out on the web are generating click backs to the website.
00;03;14;04 - 00;03;32;08
Dr. Matthew McCoy
Maybe things like linkages to social media or other kinds of widgets that they can put on the website to boost functionality and make it a better experience for people. And what I would say is that, you know, these technologies, they're usually free to the end user, so they're free to the hospitals, but of course they're not free in the larger sense.
00;03;32;08 - 00;03;47;08
Dr. Matthew McCoy
The companies that are developing these technologies, they're not doing it out of a sense of altruism. They're getting paid in another way. So what they're getting in response for offering these free technologies is a bunch of data about the people who are using the websites that their trackers are on.
00;03;48;11 - 00;04;16;09
Alan Weil
Yeah. So when you started answering the question, I thought, well, that's pretty innocuous. If the hospital wants to know whether the people who come to their website homepage live in the general area of the hospital or they're further away and they're trying to figure out how to market their services, you know, no harm, no foul. Then when you say this comes free, which means someone's using the data and they're scraping huge amounts, and this term “third party” is rather ominous,
00;04;16;22 - 00;04;34;14
Alan Weil
and I think, who are these third parties and what are they doing with it? Can you say a little bit more about that? So the data leave the hospitals, you know, analytics and go to this massive data warehouse in the sky somewhere and what can happen to it there?
00;04;34;23 - 00;05;05;14
Dr. Matthew McCoy
Yes. So what I would say is the first observation here is this whole world is pretty opaque and we don't actually have a ton of transparency into it. But I can say some general things about this ecosystem and the companies that are involved. So some of the most prolific trackers are, you know, big tech companies that everybody's heard about: Google, Facebook, Amazon. A lot of trackers are also digital advertising companies that I would think most consumers, most patients probably don't know the names of.
00;05;05;14 - 00;05;27;19
Dr. Matthew McCoy
But I would say that these companies know an awful lot about you. So, you know, these big tech companies, which are essentially advertising businesses and these other digital advertising companies, you know, for the most part, they want the data for the same reason. They want data about individuals so they can profile those individuals and send them targeted advertisements for things that they might want to buy.
00;05;27;28 - 00;05;46;04
Dr. Matthew McCoy
Or conversely, they might identify people who they say, well, we want to make sure this person doesn't get a certain offer, they don't get a certain targeted advertisement because they don't have the characteristics that we're looking for in a potential consumer base. But in addition to these advertising companies, there's also data brokers that are active in the tracking ecosystem.
00;05;46;15 - 00;06;21;21
Dr. Matthew McCoy
And these are companies whose whole business model involves collecting and merging a whole bunch of information about individuals so they can develop really detailed profiles about individuals or households, and they sell those on to financial institutions, employers; and these kinds of profiles, you know, they give you a fine grained understanding of the risk that a certain person might pose so that a bank can decide whether or not they want to make a loan to this person or an employer can decide whether or not they want an advertisement for a job to appear in this person's feed.
00;06;22;28 - 00;06;44;13
Alan Weil
Okay. Well, we're going to need to talk a lot more about some of those uses. But before we do that, let's get to some of the basic findings in the paper. In the paper you reach some conclusions regarding how common these tracking devices are, how much data flows from them, and a little bit about which kinds of hospitals are more likely to use them.
00;06;44;20 - 00;06;51;21
Alan Weil
So can you give us sort of the top line findings and then we're going to go much deeper into what the concerns are that arise from them?
00;06;52;14 - 00;07;13;25
Dr. Matthew McCoy
Yeah, absolutely. And maybe it would even be helpful to say a little bit about what was known about this phenomenon on hospital websites before we launched this study. So there had been a couple of really interesting but smaller scale studies looking at, you know, Newsweek’s top 100 hospitals and identifying the presence of a Facebook tracker, a single tracker on these hospital websites.
00;07;14;10 - 00;07;40;25
Dr. Matthew McCoy
And these are really important findings. But what we wanted to try to do with this study was something much more comprehensive. So we wanted to look at tracking across basically all nonfederal acute care hospitals in the United States. So what we ended up finding is that, you know, across these hospitals we identified about 3700 individual websites. There's slightly fewer websites than there are hospitals because some hospitals that are part of a system share a website.
00;07;41;10 - 00;08;12;15
Dr. Matthew McCoy
And in a word, what we found with the tracking is that it's pervasive. So virtually all of the hospital websites that we looked at included at least some third party tracking technologies. The actual number was 98.6 and the few hospital websites we found that didn't have tracking technologies were very basic, rudimentary sort of websites. And I can drill down and give you a little bit more information on particular findings about, you know, the volume of data transfers we observed and where they were flowing to.
00;08;13;02 - 00;08;28;11
Alan Weil
Yeah, say just a little about that. I mean, I think someone who wants the details will look at the paper as they should. I'm eager to get back to sort of what do we do about this. But you did have some interesting findings both about the amount of data transferred and a little bit about differences across hospital characteristics.
00;08;28;11 - 00;08;30;21
Alan Weil
So love to have you report that out.
00;08;31;05 - 00;08;51;20
Dr. Matthew McCoy
Yeah, absolutely. So we observed a median of 16 third party data transfers per hospital website, which is really quite high when you think about it. I mean, the idea that a single company might be getting a record of what you're doing on a hospital website might be disturbing enough. Multiply that by 16 and I think it's even a little bit more concerning.
00;08;52;06 - 00;09;21;20
Dr. Matthew McCoy
And as you said, one of the things we wanted to know was whether or not the levels of tracking differed by hospital type. And one of the things we found was that, you know, the hospital characteristics associated with more tracking were things like membership in a health system. And quite interestingly, you know, affiliation was an academic health center and we don't know for sure, but we have a couple of hypotheses about why that might be the case that I'm happy to talk about.
00;09;21;20 - 00;09;24;04
Dr. Matthew McCoy
If that's of interest.
00;09;24;04 - 00;09;53;21
Alan Weil
Well, I tell you what, we may or may not have time for that. I'm so interested in getting into with the implications that I think I'm going to turn first to that and then we'll round out the story as we go. Let me just start with sort of the what feels to me like the obvious question that comes to mind, which is that when you work in health care, you're constantly familiar with HIPAA, and that creates incredibly tight restrictions on the uses of data.
00;09;53;21 - 00;10;15;00
Alan Weil
And then you're describing this sort of wild west of not much regulation, very little transparency. So how when these two systems come together, the highly regulated world of health data and the unregulated world of sort of consumer data, how do we even think about the relationship between these two regulatory regimes?
00;10;15;11 - 00;10;35;20
Dr. Matthew McCoy
Yeah, it's a great question. And I think for a long time we didn't really have a clear sense of how we should bring these two things together. But just recently, in December ‘22, the Office of Civil Rights (OCR) and the Department of Health and Human Services, which is the body that's responsible for enforcing HIPAA, you know, they weighed in with guidance on this question.
00;10;36;02 - 00;11;11;27
Dr. Matthew McCoy
And as you say, I think anybody who works in health care or who reads this journal probably has, you know, a pretty good awareness of HIPAA. And they understand that under HIPAA, covered entities like hospitals can't go around disclosing protected health information for marketing services unless there is, you know, express consent from the patients. But I think what was unclear and the reason that OCR wanted to offer some thoughts on this issue is that, you know, it wasn't clear whether the data transfers that were being affected by trackers would constitute the disclosure of PHI (Protected Health Information).
00;11;11;27 - 00;11;17;13
Dr. Matthew McCoy
And this guidance from OCR, which I'm happy to talk about, I think it's finally shed some light on that question.
00;11;18;22 - 00;11;59;14
Alan Weil
Okay. So I'm eager to get a deeper understanding of the concerns that are raised by these practices and what we should do about them. We'll talk about those topics after we take a short break. And we're back. I'm speaking with Dr. Matthew McCoy about third party tracking on hospital websites. So we've learned that this is ubiquitous. Almost every hospital does this tracking and it's relationship to HIPAA is a bit complex.
00;11;59;14 - 00;12;20;12
Alan Weil
We've learned that the federal agency Office of Civil Rights has weighed in a little bit on this. But I'm still want to get my head around some of the implications. So earlier in the conversation, you mentioned this notion of profiles, and I can see them sort of in two different ways, and I guess I'd like your help navigating them.
00;12;20;12 - 00;12;47;25
Alan Weil
So one is sort of generic profiles. ‘Well, the people who come to our hospital website live in these kinds of neighborhoods which have this level of income, and, you know, we want to target advertising to them because we have a sense of their income.’ I may find that a little obnoxious, but it doesn't seem very threatening. But then you describe things like bank loans and employment.
00;12;47;25 - 00;13;16;02
Alan Weil
And I'm thinking, wait a minute, if I go to a hospital website looking for cancer care and someone traces that all the way back to Alan Weil sitting at his computer at home is looking for cancer care at a hospital and so when he applies for life insurance, you might want to deny him that. Boy, that sets off like a whole different level of alarm bells.
00;13;16;08 - 00;13;42;17
Alan Weil
So I realize you said earlier that this is a fairly opaque area. And I'm sure based on your study alone, you can't tell me whether or not they are tying this back to me as an individual. But can you help me navigate like how individualized is this? And what does it mean to have a profile? How could it come back to hurt me as an individual?
00;13;43;26 - 00;14;10;02
Dr. Matthew McCoy
Yeah, it's a great question. And this is something that OCR was trying to think about in the guidance it issued. So in these data transfers to third parties, you know, there can be different pieces of information. You know, sometimes it might include something like your email address or your name that you entered into a web form on the hospital website and you can understand how that very clearly can link you as an individual to the web browsing that you've been doing.
00;14;10;16 - 00;14;33;03
Dr. Matthew McCoy
But quite often these data transfers include IP addresses, which we might not think about as a unique fingerprint of who we are. But for the companies that collect this data, it's a fairly trivial matter these days to link different pieces of web browsing together and back to a concrete individual with a name and an address using the IP address.
00;14;33;03 - 00;14;55;24
Dr. Matthew McCoy
And that's why IP address is one of the 18 personal identifiers that are explicitly specified in the HIPAA legislation. So, you know, this understanding that an IP address could be used to link health information to an individual has long been out there. And I think now what we're seeing is that, you know, tracking is a mechanism by which this might be happening on a totally widespread scale.
00;14;56;18 - 00;15;47;00
Alan Weil
Okay. So I'm glad you brought that up because, of course, HIPAA has some very specific provisions regarding the information that can be shared in an anonymized form to enable certain kinds of analytics that it's viewed are not going to pose a risk to revealing personally identifiable information. It sounds to me like what's going on here is we have this highly regulated ecosystem governed by HIPAA, and then we have this very unregulated world out there where re identification and linkages across different data types can occur without much regulation, because it's that ecosystem is not part of HIPAA, if you will.
00;15;47;25 - 00;16;12;11
Alan Weil
The risk here is that the HIPAA covered entities are transferring enough data over to that other ecosystem where there isn't regulation that even though the hospital itself isn't sitting there doing something to re identify the data and hand it over, it's creating the risk that that could occur in an unregulated world within lots of untoward consequences for people like me.
00;16;12;11 - 00;16;17;03
Alan Weil
Is that, am I kind of getting what the concerns are here?
00;16;17;12 - 00;16;43;18
Dr. Matthew McCoy
Yeah, I think that's a decent way to put it. So, you know, in this study we didn't look at the contents of the data flows. But, you know, other investigations into this phenomenon by reporters have found that even a single data flow from somebody browsing on a hospital website to a third party might include information like their email appointment information for a visit that they have scheduled with their doctor.
00;16;43;28 - 00;17;05;03
Dr. Matthew McCoy
So there are some instances in which, you know, the data being transferred is itself readily identifiable. But I think you're absolutely right that the bigger concern that we should have is that data that in isolation maybe doesn't look like much, is one piece of a puzzle that the companies that collect it are able to easily put together and understand quite a bit about you.
00;17;06;08 - 00;17;30;06
Alan Weil
That’s very clearly said and rather concerning to hear. So this is going to lead me in two directions as we come to the end of our conversation. The first is sort of as a consumer, which is, should I stop going to hospital websites and like think twice before I click on anything, particularly a hospital, that I have a relationship where I might have an appointment?
00;17;30;21 - 00;17;35;06
Alan Weil
Is that, you know, is that sort of self-protective behavior I should be adopting?
00;17;36;20 - 00;18;01;04
Dr. Matthew McCoy
So I like the way you've phrased that question because of course, as consumers and patients, these days we don't really have the option to stop going to hospital websites. You know, hospital websites are sometimes referred to as digital front doors to the health care system. If you want to find a specialist, if you want to make an appointment, if you want to look for clinical trials in your area, you know, your first stop is going to be a hospital website.
00;18;01;04 - 00;18;20;22
Dr. Matthew McCoy
And I don't think we can expect people to opt out of doing that because they're concerned about tracking. I think that's you know, one of the things that makes this so pernicious is because people don't really have an opportunity to avoid it and still obtain the kind of health care they need. You know, that said, there are certain individually protective behaviors that people can take.
00;18;21;05 - 00;18;40;01
Dr. Matthew McCoy
They can install a tracking blocker into their web browser, a tool like Ghostery. And, you know, this is good. This certainly will cut down on a lot of the tracking that you're exposed to, but none of them are perfect. And the companies that do tracking are constantly thinking of ways to outsmart these systems. So I think it's a good idea.
00;18;40;01 - 00;18;58;10
Dr. Matthew McCoy
It doesn't solve the problem completely. But I think maybe the most important here is that I don't really believe that the onus should be placed on patients. You know, it shouldn't be the patient's job to make sure that when they go to a website, they're not being tracked. I think that's the job for hospital leaders and policymakers ultimately.
00;18;59;08 - 00;19;25;23
Alan Weil
Well, that's a great transition. Of course, we're a policy journal and you mentioned OCR weighing in. But I wonder, based on your work, whether there're other policies that you think should be in place or at least be considered to be put into place that take the onus off of the individual patient, which I agree it's a pretty heavy load to place on people to install, you know, tracker blockers.
00;19;25;28 - 00;19;27;01
Alan Weil
That seems a bit much.
00;19;27;11 - 00;19;51;19
Dr. Matthew McCoy
Yeah, that's right. So even before we get to the level of federal policy, state policy, I would say at a level of institutional policy, you know, hospitals that are learning about this phenomenon and, you know, I assume that maybe some of them didn't understand the scope of this problem before, you know, recent attention has been directed to it, I think, tomorrow or in the next week or certainly in the next month.
00;19;51;29 - 00;20;19;26
Dr. Matthew McCoy
You know, hospitals should make it a priority to audit their websites to understand what the presence of these trackers on their websites is, and then to take immediate steps to remove them from their websites. And if they feel that there are certain trackers that are just absolutely essential to their business model that they can't live without, at the very least, I think that needs to be clearly signaled to people who are using the website and, you know, patients need to be given a very clear and direct way to opt out of that kind of tracking.
00;20;21;09 - 00;20;50;12
Dr. Matthew McCoy
But with respect to federal policy, I mean, I think there has over the last couple of years been increased attention and energy towards this goal of passing comprehensive privacy legislation in the United States. I think, you know, stories like this, studies like this that we're doing really do show the age of HIPAA and show the fact that, you know, HIPAA was legislation passed to, among other things, protect people's health privacy.
00;20;50;18 - 00;21;16;09
Dr. Matthew McCoy
But it was passed at a very different time when the kinds of technologies that we've been talking about today didn't exist at the scale they do today. So, you know, in the last session of Congress, there was legislation called the American Data Protection and Privacy Act that would have really significantly taken steps to curb third party tracking. And I think ultimately we need legislation like that if we're really going to address this threat and protect patients.
00;21;16;09 - 00;21;38;22
Alan Weil
Well, Dr. McCoy, thank you for making such a complicated subject accessible to us and for raising the alarm before it's too late. It does sound to me like the technology is advancing very quickly and the risks are growing in a way that it's hard for us to fully be aware of as individual consumers. And so drawing more attention to this is critical.
00;21;38;22 - 00;22;02;06
Alan Weil
I also appreciate you putting some of the onus on hospital system leaders that we can have great public policy here, but we don't need to wait for that. They're just decisions that individual actors can make based on this information that would be protective of their patients and it seems reasonable to ask that they take those steps. So I'm very appreciative of your work in the area and the paper you published with us.
00;22;02;06 - 00;22;05;03
Alan Weil
Thanks for being my guest today on “A Health Podyssey”.
00;22;05;20 - 00;22;06;25
Dr. Matthew McCoy
Thanks again for having me on.