Healthcare data: new threats, new risks, new challenges
Captives can help healthcare organisations mitigate the risk of patient data misuse, says Heather McClure (pictured) of Helio Risk.
Heather McClure, managing partner and general counsel at Helio Risk, was previously a chief risk officer of a major medical system for many years. She is now a captive manager and risk consultant for Helio Risk. McClure has been involved in researching and speaking on the topic of healthcare data privacy, specifically in the context of leveraging captive insurance to add capacity to the cyber market, address exclusions, and add protections for this emerging risk.
She explains to Captive International some of the main issues affecting this part of the captive insurance market.
What is the biggest emerging threat relating to data privacy in this space?
Health systems pledge to protect the privacy of their patients, and I believe to a large extent they do that. However, they use sophisticated data tools to track and share personal information of visitors to their websites. A large study in 2023 found that 99 percent of US hospitals employed online data trackers that transmitted visitors’ information to a network of outside parties, including major technology companies, data brokers, and private equity firms.
The data captured included visits to pages on specific medical conditions. In 2024, despite warnings from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) which governs data privacy in the US, this activity is still happening and there seems to be confusion on what the risks are.
“There is also the reputational risk associated with any breach that comes from third party tracking systems.” Heather McClure
What are those risks?
Tracking technology can certainly be used for the good purpose of targeted education and marketing to potential patients, but its use could also be considered a violation of privacy. This places consumers at risk for data leaks regarding their searches, and healthcare systems at risk for federal and state violations of privacy laws. There is also the reputational risk associated with any breach that comes from third party tracking systems being used.
Healthcare organisations regulated under the Health Insurance Portability and Accountability Act (HIPAA) are allowed to use third party tracking tools, such as Google Analytics or Meta Pixel, to perform analysis on data key to operations. What they cannot do, however, is use these tools in a way that may expose patients’ protected health information to others, according to the bulletin from the OCR.
Healthcare organisations cannot allow a third party entity to access protected data for marketing purposes without HIPAA-compliant approval from the patient.
Have there been data compromises?
Yes, Facebook’s parent company Meta’s Pixel has been in the news. Multiple health systems use this tool that leads patient data to be shared with multiple third party companies. One large system revealed that sensitive health data on three million patients may have been compromised and shared with vendors. The tech giant’s Pixel tool was found on the websites of about a third of the nation’s largest hospitals, according to an investigation.
How many systems are using the tracking codes?
An analysis in 2022 of the websites of the top 100 hospitals in the US revealed one-third of those hospitals used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.
Have there been lawsuits associated with this risk?
Yes. It’s unfortunate, but many lawsuits have been filed against hospitals over the use of these tools, some of which have resulted in large settlements. In January 2024 Novant publicly agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties due to the use of these tracking tools.
In October 2023 Advocate Aurora Health chose to settle its lawsuit for over $12 million. The Federal Trade Commission (FTC) is actively enforcing the FTC Act with respect to trackers, with BetterHelp paying $7.8 million to consumers as refunds for disclosing sensitive health data without consent. States have also taken action on trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.
What are the common trackers used?
The most common trackers used by healthcare organisations are currently Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com); Meta (facebook.com, facebook.net); and Microsoft (linkedin.com).
What is the rule about consent?
There is still a wide variance between systems in obtaining consent from website visitors and/or patients to collect their data through tracking technologies such as pixels and cookies. According to OCR guidance, the use of a banner on a website about the use of tracking technologies does not constitute a valid HIPAA authorisation. However, these consent banners are still found on many websites today.
Is video data an issue?
In addition to compliance risks related to HIPAA, there is also a risk of Video Privacy Protection Act (VPPA) violations. In 2023, more than 80 lawsuits were filed alleging VPPA violations due Meta Pixel being used to gather and disseminate video viewing data from websites without user consent, some of which have led to multi-million-dollar settlements.
Is there a segment of the industry that is most vulnerable?
Yes, I would say startups and telehealth are scrambling right now. In March 2023 US mental health startup Cerebral revealed it shared the private health information of more than three million users with Facebook, Google, TikTok and other ad giants via so-called tracking pixels. These near-invisible bits of code are typically embedded in web pages to share information about users’ activity, often for analytics.
Cerebral said these trackers had inadvertently collected sensitive user data since it began operating in October 2019.
In its disclosure to the US HHS Cerebral said that following a review of its code, it determined that it had disclosed information included patients’ phone numbers, IP addresses, insurance information, mental health assessment responses and associated clinical data. This data lapse was the third-largest breach of health data in 2023, according to the HHS. There are said to be many others under investigation.
Direct-to-consumer telehealth firms collect patients’ answers to medical intake questions, and some allow patients to add a medication to their cart, which can then be transmitted to third-party trackers. In 2023 the FTC settled with digital healthcare platforms GoodRx and BetterHelp for allegedly sharing user health data with third parties.
How is the industry responding to the issue?
In July 2023, the OCR and the FTC wrote to almost 130 healthcare organisations warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. The OCR states that HIPAA is extended even to visitors to the websites who are not yet patients.
In March 2024, the OCR updated its guidance, but the OCR’s view that a Business Associate Agreement is necessary for all vendors receiving information and authorisations are required from those whose information is shared has not changed. The OCR stated: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of HIPAA Rules.
“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorisations, would constitute impermissible disclosures.”
OCR went on to say “…impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI. Such disclosures can reveal extremely sensitive information…”
In early 2024, a group of hospital systems led by the American Health Association sued HHS and the OCR to block enforcement of a December 2022 Online Tracking Bulletin. They argued that the OCR’s interpretation of how HIPAA applied to covered entities and business associates’ use of tracking pixels on websites and mobile apps exceeded its authority.
Specifically, they argued that they inappropriately classified individually identifiable health information, certain data collected through online technology that connects an individual’s IP address with a visit to a publicly accessible web page that does not require or request login information for user authentication and that addresses specific health conditions or health providers (the proscribed combination).
In a highly anticipated June 20, 2024 decision, the Federal Court in Texas agreed with the hospital systems and granted the hospitals’ requests for declaratory judgment. In a 31-page order, the court determined HHS had failed to account for the fact that even if the intent of the web page visitor was related to obtaining information regarding their health, such intent was not disclosed to the covered entity through the visit or transmitted to business associates.
Ultimately the court vacated the HHS guidance from December 2022, but there are still many issues related to privacy that are not determined by this ruling, and states have their own privacy laws that need to be considered.
What are the solutions for the industry, and how can captives help?
Health systems should construct stronger oversight of the company’s tracking tools and manage which are allowed for operational purposes. They must determine which data belonging to visitors can be sent to third parties, and regularly audit the websites to ensure compliance.
A key dynamic in captives is making risk transparent and known to the top levels of an organisation. Captives encourage mitigation of risk because it is not ceded out to the commercial markets entirely. There is room for this emerging risk in the captives space just as there was the first iterations of cyber 20 years ago.
How can captives support the industry with regard to this risk?
The risk has to be understood and then it has to be controlled. There have to be identifiable losses and prevention methods over time so the captive can price the risk accordingly. Captive structures are great for customisation, and meeting clients’ unique needs while keeping risk management at the forefront.
Including at least a piece of the risk financing on this issue will allow the issue to be in the forefront of an overall risk management plan for this topic. This is going to be important for this risk in the coming years, and we already see clients taking steps to make sure they are learning from those who were in the first wave of breaches and settlements.
Heather McClure is managing partner & general counsel at Helio Risk. She can be contacted at: hmcclure@heliorisk.com
Click here to read Captive International's US Focus 2024 publication.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.