Telehealth Websites are Disclosing Sensitive Health Data to Big Tech Companies

The private data of people visiting telehealth websites is being disclosed to big tech firms without the consent of the user because of the tracking code snippets added to websites, based on a recent review by The Markup.

There were 50 websites owned by direct-to-consumer telehealth firms that were checked for third-party tracking codes. Of the 50, 49 were identified using the tracking code and transmitting the data of visitors to third parties, such as Google and Meta/Facebook.

The research study is a follow-up on the study of the web pages of the top 100 U.S. hospitals last summer. It was found that one-third of the websites had the tracking code on their websites and sent information to third parties without user permission, business associate agreements, or valid HIPAA authorizations. In a few instances, the tracking code was put in password-protected patient websites.

The most recent study of telehealth websites were websites that gather highly sensitive data from visitors, for example, the personal and health data of individuals who have Substance Abuse Disorder (SAD) and are getting treatment. In a lot of instances, the responses to health questionnaires were likewise provided to big tech companies, particularly questions concerning medical conditions, medical backgrounds, and drug use.

The Markup and STAT published a report, which revealed the following:

  • 49 of the 50 websites studied sent the URLs visited by an individual
  • 35 websites transferred personal data including email addresses, telephone numbers, and complete names
  • 19 websites recorded and sent information of users that initiated checkout
  • 13 websites shared with third parties the responses to questionnaires
  • 11 websites sent information of users that added a product to their cart (for example a treatment plan)
  • 9 websites shared the date when the account was created by the user

The 13 websites that transmitted questionnaire information were particularly a concern because the responses were related to health issues. That data was disclosed to different organizations, such as Meta, TikTok, Google, Bing, Snap, LinkedIn, Pinterest, and Twitter. 25 sites informed big tech companies when a user had put in a product like a prescription medicine to their cart or purchased a treatment plan.

All except one of the 50 sites transmitted the URLs visited by a user on the website. The websites give health and treatment data, therefore the information specified on selected pages might be for a particular health issue. That data is then linked with a person or a family through an IP address. The only website that didn’t share information with third parties was Amazon Clinic.

Likely HIPAA Violations

Healthcare companies are HIPAA-regulated entities and sharing of protected health information (PHI) is limited by the HIPAA Privacy Regulation. SUD data is likewise governed by the 45 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records rules. Lately, the HHS’ Office for Civil Rights shared guidance for HIPAA-covered entities that affirmed that using third-party tracking code on web pages violates HIPAA when that tracking code gathers and transmits PHI to third parties except if the third party is a business associate covered by HIPAA. In these instances, a HIPAA-compliant business associate agreement is needed prior to using the code. When a third party isn’t a business associate, it is necessary to get HIPAA-compliant patient authorizations prior to using the code.

HIPAA is applicable to healthcare providers, healthcare clearinghouses, health plans, and business associates of covered entities. However, a lot of the telehealth websites analyzed function in a gray spot, because the web pages aren’t operated by HIPAA-covered entities or SUD treatment companies, consequently, the HIPAA and Part2 rules are not applicable, although the information gathered is the same information that would be categorized as PHI or SUD records when gathered by a regulated entity.

The data gathered by means of these websites is transferred to HIPAA-regulated entities and entities under Part 2, however, the websites are intermediaries and aren’t governed by HIPAA or the Part 2 rules. For instance, one site operated by Cerebral Inc. gathered HIPAA-covered information although it is not a HIPAA-regulated entity. The site sends the data to Cerebral Medical Group, P.A., a HIPAA-regulated entity. The transmission of information to the big tech companies happened prior to the move to the Cerebral Medical Group, P.A.

WorkIt Health offers medical care services such as SUD treatment. The Notice of Privacy Practices (NPP) on its website states the following:

“You are receiving this NPP because you are or intend to receive health care services from a Workit Health Clinic… Each Workit Health Clinic together designates themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA.”

Nevertheless, the WorkIt webpage got trackers from Google, Bing, Facebook, and Twitter, and transmitted URLs, personal data, and responses to questionnaires. The Markup called WorkIt Health concerning the results of the study and WorkIt Health took away the tracking technology from its URL and started an investigation into the breach of privacy.

Website Visitors Want Privacy

Numerous healthcare companies add these tracking codes to their web pages with good purposes since the technology gives information that could help to enhance the user experience on web pages and determine the efficiency of marketing promotions, however, the degree to which patient data is being disclosed is not completely known.

People who go to these web pages are not likely to know that any data they offer directly by means of responses on web forms and health questionnaires, and indirectly through the websites they go to, is not private and secure, and that’s a major issue. The NPPs on a number of these websites talk about HIPAA and Part 2, however, the degree to which those rules apply is uncertain. The Markup remarks that a minimum of 12 of the studied organizations say that they’re HIPAA compliant, nevertheless that doesn’t indicate that the data offered on the website is kept confidential or is really protected by HIPAA when it is gathered.

The study indicates that there’s a trade-off whenever utilizing these sites. Patients feel comfortable, however, their privacy may be affected. There’s a large gap in HIPAA, because it is not updated to meet the adjustments in how medical care is being given, and there is additional advice about misleading privacy procedures, although in several instances unintentionally tricking visitors concerning privacy.

Sensitive health data is being disclosed, inadvertently, on the internet daily. Hospital sites, web pharmacies, and health data websites utilize various apps (website analytics, hyperlinks to social media, promotion) that gather and share website visitors’ information, such as the medical care terms and health conditions that the end user is looking for. For instance, in LOKKER’s latest research involving more than 170,000 sites, the Meta Pixel (Facebook) code is added to about 40% of healthcare websites. The same information was discovered regarding information being distributed to TikTok, Pinterest, Snapchat, Microsoft, and Google, as well. Customers’ and patients’ data is being gathered and distributed, and the website clients don’t know that their information is being distributed to social sites.

The Markup revealed that its analysts didn’t test all pages on the sites of the telehealth companies, therefore the full scope to which tracking code was used is unknown. Tracking code could also be set up in different ways on various web pages.

It is additionally not clear what the big tech companies do with the transmitted information. A number of big tech companies claim that they don’t permit targeted marketing associated with health issues, even though it’s possible to go around that using closely associated words. Meta, for example, claims to remove any information it should never have gotten and doesn’t give that info to third-party marketers. The degree to which that happens is also uncertain. Meta is the topic of a number of lawsuits concerning this very issue, a number of which claim health info was employed to give targeted advertisements to patients whose data was gathered via the Meta Pixel code snippet.

Operators of Medical Websites Must Take These Steps

The HHS’ Office for Civil Rights has plainly mentioned in its most recent guidance that using tracking technology on websites is a HIPAA violation and that this matter must be resolved promptly. HIPAA-covered entities must report any HIPAA violations associated with using third-party tracking technologies. To date, just a few HIPAA-covered entities have done so, in spite of big numbers having put in tracking code to their web pages. Even though the websites aren’t managed by HIPAA-covered entities, the website operators are responsible to secure the privacy of their website visitors, particularly their sensitive health data. Ian Cohen advises all healthcare companies to take these actions:

  • Know what information your websites and applications are gathering and in case you’re breaking your own privacy policy, other privacy regulations, or the trust of your customers
  • Get to know your partners and be sure they are not taking advantage of your customers’ data
  • Form teams that consist of Marketing, Legal, and IT and set up programs for better data protection
  • Don’t only ask for customer permission for bad practices, re-assess how you can better work with your customers and develop trust with all interactions through clear communication
About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at