New York AG Fines Hospital $300,000 over Online Tracking Tool Disclosures
- January 12, 2024
New York Presbyterian Hospital (NYP) will pay $300,000 to resolve allegations it violated the Health Insurance Portability and Accountability Act (HIPAA) by embedding online tracking tools on its website that improperly shared users’ personal information with third-party technology vendors for marketing purposes, New York Attorney General Letitia James announced December 27.
Under its agreement with the state, NYP, which operates ten hospitals across New York City, also must ensure any protected health information held by third parties is deleted, maintain enhanced privacy safeguards and controls, and notify and train employees on those policies.
The investigation followed a 2022 bulletin issued by the Department of Health and Human Services Office for Civil Rights (OCR) that warned health care providers they may be violating HIPAA if they share protected health information with online tracking technology vendors like Google Analytics or Meta Pixel.
James said a state investigation found that, between June 2016 and June 2022, NYP’s website collected and shared user information, including IP addresses, URLs of webpages viewed, and other unique identifiers, with third-party tech companies when visitors searched for doctors or booked appointments.
According to the state, NYP did not have business associate agreements with these vendors and lacked policies for vetting third-party tracking tools prior to deployment. NYP disabled the tracking tools on its website in June 2022. In March 2023, NYP filed a data breach report affecting 54,000 people.
NYP neither admitted nor denied the state’s findings, according to the agreement.
Hospitals have commonly deployed online tracking technologies to monitor how users interact with their websites or mobile applications. But since the OCR bulletin, the practice has come under increased scrutiny and triggered a slew of patient lawsuits alleging the unlawful disclosure of sensitive health and personal information without consent to third parties.
But at the same time, several hospital groups, including the American Hospital Association, have filed a lawsuit alleging OCR exceeded its statutory authority in issuing the bulletin.