The hidden risks of third-party data sharing on healthcare websites

The healthcare industry is increasingly leveraging digital tools to improve patient access, offer services like appointment scheduling, and even provide information via chatbots. However, as healthcare providers adopt these tools, they may unknowingly expose themselves to significant legal and regulatory risks through third-party data sharing on unauthenticated websites.

Potential issues

Many healthcare websites use third-party tools to track user activity to improve website performance, analytics, and targeted advertising. While this seems harmless, on public and unauthenticated sites (where users are not logged in), there’s more at stake. According to Iliana Peters, an attorney at Polsinelli and former acting deputy director for the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, this practice can lead to legal liabilities.

"Healthcare entities still face a significant burden," says Peters. "They [don’t] realize the scope of data that is collected by these third-party entities."

See also: HIPAA Compliant Email: The Definitive Guide

Class action lawsuits and regulatory scrutiny

The most immediate risk for healthcare providers is the growing wave of class-action litigation. Peters reports that attorneys target healthcare websites, using publicly available cookie trackers to detect potential violations. "We are seeing hundreds of thousands of lawsuits associated with these activities," she says.

Plaintiff attorneys scour healthcare sites, analyzing privacy policies and terms of use to see if they meet legal requirements. If not, they send demand letters that often request significant payouts. "It’s really the Wild West right now," Peters adds, describing how attorneys are taking advantage of the gray areas in current regulations.

In addition to lawsuits, the Office for Civil Rights (OCR) has opened more than 100 cases related to these activities under HIPAA. States and even the Federal Trade Commission (FTC) have also launched lawsuits, adding further layers of legal complexity.

Read also: 

• What are the penalties for HIPAA violations?
• Higher HIPAA penalties announced

Why it matters 

For healthcare organizations, this situation is both costly and confusing. On one hand, providers are committed to improving patient care and access through digital tools. On the other hand, the use of third-party tracking technologies puts them at risk of violating privacy regulations, which could lead to substantial financial penalties or damage their reputation.

Lessons learned

The rise of digital tools in healthcare has brought convenience alongside risks. Providers can learn key lessons from the recent scrutiny over third-party data sharing on unauthenticated websites:

• Understand data collection scope: Providers often underestimate the sensitive data collected by third-party tools. Regular audits are essential to ensure compliance and protect patient information.
• Ensure transparency and consent: Many healthcare websites lack clear disclosure about third-party tracking. Providers should update privacy policies and obtain proper consent to avoid lawsuits.
• Stay informed on regulations: The legal rules around third-party data use are constantly changing, with new federal and state laws being introduced. Therefore, healthcare providers must stay informed about these updates to ensure they are protecting patient privacy.
• Prepare for litigation risks: Class action lawsuits are increasing, with plaintiff attorneys targeting healthcare websites for privacy violations. Providers should regularly review their data practices to mitigate risks.
• Adopt a risk-averse approach: Healthcare organizations must be cautious, ensuring third-party vendors comply with privacy laws and signing business associate agreements when needed.

What can providers do?

The legal landscape remains uncertain, but healthcare providers can take steps to mitigate risks:

• Conduct thorough audits of third-party tools on their websites.
• Understand what data is being collected and shared by these tools.
• Implement clear and transparent privacy policies.
• Inform patients about how their data is being used.
• Obtain explicit consent from patients when necessary.
• Regularly review legal agreements with third-party vendors, especially regarding data sharing.
• Ensure compliance with both federal and state privacy regulations.
• Be aware that even seemingly harmless data collected by third-party tools may still be subject to regulation.

See also: What is the key to HIPAA compliance?

FAQs

What is third-party data sharing in healthcare?

Third-party data sharing refers to the practice of healthcare websites using tools or services from external companies that collect and share data, often for purposes like analytics or marketing.

Why is third-party data sharing risky for healthcare providers?

Third-party tools can collect sensitive patient information without the provider’s full awareness, leading to potential violations of privacy laws like HIPAA and state regulations, exposing providers to lawsuits or penalties.

How can patients protect their data on healthcare websites?

Patients can protect their data by reading the privacy policies of healthcare websites, limiting the sharing of personal information, and using privacy settings to block third-party trackers where possible.