ECRI Position Statement: Third-Party Tracking on Healthcare Websites
Failing to protect patient data can damage trust, potentially creating a cycle of harm in which consumers become even more susceptible to medical misinformation and unproven treatments
PLYMOUTH MEETING, PA—ECRI, the nation’s largest independent patient safety organization, is deeply disturbed by reports that nearly 99%* of hospitals in the United States have third-party tracking on their websites that transfers sensitive health data to technology and social media companies, advertising firms, and data brokers.
“Besides the severe violation of privacy, ECRI is concerned this data will allow nefarious, bad actors to target vulnerable people living with severe health conditions with advertisements for non-evidence-based snake oil ‘treatments’ that cost money and do nothing—or worse, cause injury or death,” says Marcus Schabacker, MD, PhD, president and CEO of ECRI.
ECRI advises hospitals to stop this practice immediately by removing third party tracking from their websites and, along with advertisers, take responsibility or be held liable for any harm that can be traced back to a data sharing arrangement. In partnership with their chief information security officers, hospitals should alert patients who had their private health data compromised and warn them about potential risks. “In cases where a clear violation has been committed, legal action may be warranted,” says Schabacker.
“This discovery underscores the need to update health technology and information regulations, including the Health Insurance Portability and Accountability Act (HIPAA), which do not address many questionable practices that have developed since their enactment,” says Schabacker.
*Friedman, A. et.al. Widespread Third Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals. Health Affairs. 2023;Vol. 42, No. 4. https://www.healthaffairs.org/doi/10.1377/hlthaff.2022.01205
About ECRI
ECRI is an independent, nonprofit organization improving the safety, quality, and cost-effectiveness of care across all healthcare settings. With a focus on technology evaluation and safety, ECRI is respected and trusted by healthcare leaders and agencies worldwide. Over the past fifty-five years, ECRI has built its reputation on integrity and disciplined rigor, with an unwavering commitment to independence and strict conflict-of-interest rules.
ECRI is the only organization worldwide to conduct independent medical device evaluations, with labs located in North America and Asia Pacific. ECRI is designated an Evidence-based Practice Center by the U.S. Agency for Healthcare Research and Quality. ECRI and the Institute for Safe Medication Practices PSO is a federally certified Patient Safety Organization as designated by the U.S. Department of Health and Human Services. The Institute for Safe Medication Practices (ISMP) formally became an ECRI Affiliate in 2020. Visit www.ecri.org.
For more information, contact:
Laurie Menyo, Director of Strategic Communications
610.825.6000 ext. 5310
lmenyo@ecri.org