New York Presbyterian Hospital has decided to resolve alleged Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule violations by paying the New York Attorney General a $300,000 financial penalty.
NYP manages 10 hospitals around New York City and has roughly 2 million patients annually. In June 2016, NYP put tracking pixels and tags on its nyp.org web page to monitor site visitors for advertising purposes. At the begining of June 2022, a journalist from The Markup
contacted NYP saying that these tools can transmit sensitive data to the third-party vendors of the applications, including data categorized as protected health information (PHI).
On June 16, 2023, The Markup posted an article concerning the usage of these codes by NYP and other U.S. hospitals. At this time, NYP already removed the codes from its web page and had started a forensic investigation to find out the scope of the breach of privacy. NYP confirmed that PHI was likely impermissibly disclosed and submitted a breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, and indicated that the PHI of around 54,396 persons were affected.
NY Attorney General Commences HIPAA Enquiry
NY Attorney General, Letitia James started an investigation of NYP after the breach report to establish if NYP had breached HIPAA and New York regulations. The investigation affirmed that NYP had included some tracking codes on its web page from third parties like Google, Bing, Meta/Facebook, TikTok, iHeartMedia, Twitter, and The Trade Desk. These applications were set up to activate selected user events on its web page. The majority were set up to send data upon the loading of a webpage, and some sent data after clicking on specific links, the sending of forms, and searches done on the website. The snippets of data provided to third parties contained data regarding the user’s interactions on the webpage, which include the user’s IP address, searches, and URLs visited. The tools furnished by Meta, Google, and the Trade Desk likewise received unique identifiers that were kept in cookies on users’ devices.
Meta/Facebook likewise obtained data like first and last name, gender data, email, and mailing address, when that data was inputted on a webpage that has the Meta pixel. In certain instances, the data sent to third parties contained medical data, for example when the user researched medical data, carried out a search for a specialized physician, or booked a consultation. Selected URLs additionally exposed data concerning a specific health issue.
The monitoring tools from Google, Meta, and the Trade Desk were utilized to assist earlier site visitors with particular ads depending on their prior interactions on the site. NYP along with its digital marketing seller likewise utilized Meta pixel information to classify website patients depending on the pages they went to and utilized Meta pixel to provide ads to other people having the same characteristics, referred to as “lookalike audiences.” For instance, NYP found people who went to webpages connected with prostate cancer, and those people were subsequently offered targeted ads on other third-party sites associated with prostate cancer.
HIPAA Violations With the Use of Website Tracking Applications
These tracking applications are popular with businesses helping them with advertising, promotion, and data collection. However, hospitals are HIPAA-covered entities and need to follow federal law to ensure the privacy of personal data and PHI. As reported by the HHS’ Office for Civil Rights in its December 2022 guidance, third-party resources that could collect and transmit PHI can only be used when a business associate agreement (BAA) is signed and the disclosure of PHI is allowed by HIPAA or when HIPAA-compliant authorizations were acquired from patients. NYP, just like several HIPAA-covered entities that utilized these tools, did not enter into BAAs with the tracking tool vendors and did not acquire patient authorization to share their PHI with those providers.
The New York Attorney General confirmed that although NYP had guidelines and procedures associated with HIPAA compliance and patient privacy, they failed to have proper guidelines and procedures for using third-party tracking applications. The New York Attorney General decided that using these resources violated § 164.502(a) of the HIPAA Privacy Rule, which forbids sharing of PHI, and § 164.530(c) and (i), which calls for administrative, physical, and technical safeguards to secure PHI privacy and policies and procedures to adhere to those requirements. NYP also violated New York Executive Law § 63 (12) for misrepresenting the way and scope to which it safeguards the privacy, confidentiality, and security of PHI.
Settlement Reached to Resolve HIPAA and State Laws Violations
NYP was cooperative with the investigation and chose to settle the alleged violations without admitting or denying the conclusions of the investigation. Aside from the financial penalty, NYP has consented to the following:
adhere to General Business Law § 899-aa, Executive Law § 63 (12), and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D, and the HIPAA Privacy Rule Part 164 Subparts E regarding the collection, usage, and storage of PHI.
get in touch with all third parties that were provided PHI and request the deletion of that information
conduct regular audits, assessments, and tests of third-party tools prior to implementing them to an NYP website or application
NYP is additionally instructed to make known on all websites, mobile apps, and other internet services it owns or manages, all third parties that get PHI because of a pixel, tag, or other web tool, and give a clear detail of the PHI that is obtained. The notice should be put on all unauthenticated web pages that let users find physicians or book appointments, and any webpage that tackles particular symptoms or medical conditions.
OCR’s guidance on the use of tracking technologies is being questioned in court because of concerns regarding the PHI collected by tracking apps. The demands of the settlement regarding the usage of tracking systems and the limitations enforced will remain effective until the appropriate parts of OCR’s guidance are changed, updated, withdrawn, suspended, supplanted by successive guidance, or momentarily or permanently enjoined and/or declined by a court decision relevant to HIPAA-covered entities based in New York.
New Yorkers looking for a physician or medical assistance can do so without compromising their private data, according to Attorney General James. Hospitals and health establishments should maintain a high standard for safeguarding their patients’ personal data and medical information. New York-Presbyterian did not take care of its patients’ health data, so, tech firms got access to people’s information. Today’s settlement will make sure that New York-Presbyterian will not disregard securing its patients’ data.