How secure is your online health data? The answer depends on which part of the internet you engage with. 

If you log directly onto your patient portal after a doctor’s visit, that information is clearly covered by HIPAA, the Health Insurance Portability and Accountability Act,  which has strict protections about releasing data.  

“But once you’re outside the health care system and protection of HIPAA, there are really no safeguards for your information,” explained LDI Senior Fellow David Grande, Director of Policy at LDI and an Associate Professor of Medicine at the Perelman School of Medicine. 

Browsing the web and using apps can reveal a great deal about your health. Internet searches may suggest you’re likely to have HIV or be pregnant, and your online behavior can turn into fodder for targeted advertisements related to your medical conditions. 

Health-related websites are just as likely as other kinds to track your patterns. Of the 3,747 nonfederal acute care hospitals in the U.S., 98.6% had third-party tracking on their sites, with Alphabet (parent company of Google) by far the most common recipient, according to a Health Affairs study by LDI Senior Fellows Ari Friedman, Matthew McCoy and others. 

Even more surprising, 99.1% of abortion clinic web pages allow such disclosures, according to a JAMA Internal Medicine article by Friedman, McCoy, and coauthors. 

Consumers have few options for protecting their online health information. In the past few years, some states and the federal government have stepped up their oversight of online privacy. But much more can—and should—be done, LDI experts say.

Third-party tracking means that a code or script has been inserted into a website so that it can capture data such as what pages you look at, how long you look at them, and what links you click on. It then transfers that information to another entity. 

According to research that Grande and colleagues published a few years ago, most Americans understand and accept that Amazon tracks your shopping data and uses it to advertise more products to you. “But most people don’t realize that the information from Amazon is being aggregated with data from your search habits on Google, your browsing experiences on news websites, and your posts on Facebook, and all of that is being repurposed for commercial marketing reasons,” he said. 

These unseen technologies exist in the background of almost every website you visit, and are collecting a vast amount of information about your online life. “A huge number of companies have created profiles based on the kinds of sites you visit, possibly combined with publicly-available data sources, like your address, where you work, and your purchase histories,” said McCoy, an Assistant Professor of Medical Ethics and Policy at Perelman.

Advertisers receive tracking results, and may target elderly people who might be prone to falling for health and other scams, noted Friedman, an assistant professor of Emergency Medicine at Perelman. Data brokers are companies that sell your profiles to financial institutions, employers, and others. 

A data broker named Near Intelligence used mobile phone location data to track women’s visits to Planned Parenthood clinics in 48 states, then sold the information to a group that targeted anti-abortion ads to the women for almost three years, according to allegations by U.S. Sen. Ron Wyden (D-OR). 

Why are medical-care websites using tracking technology? Convenience. “It’s very hard to avoid tracking because it’s baked into the fabric of Web 2.0 at this point,” Friedman said. “When you build a website, the easiest way to do that is to grab off-the-shelf modules that Google provides and to plug those into your site. Since most of those come with tracking, it’s difficult to build a website without it. For instance, if a web administrator wants to show videos and installs YouTube, which is owned by Google, that data will flow to Google.” 

Because the tracking ecosystem is so opaque, it’s hard to pinpoint if a particular set of data caused a specific unwelcome outcome. Did a woman lose out on a job because an employer had information that suggested she’s trying to become pregnant? Was a man denied a mortgage because it looked online as if he has HIV? 

The theoretical possibilities are immense, though one particularly dangerous situation stands out. 

“In states where abortion is criminalized, law enforcement agencies could use individuals’ digital footprints, including smartphone app data and internet search histories, to identify and prosecute women suspected of having abortions,” said Friedman. He suggested that a woman seeking an abortion should use a library computer to avoid creating a digital trail on her own IP address.

Besides the concrete harms that exposure of health data could cause, LDI experts point to, in Friedman’s words, “just a loss of dignity that happens when you don’t have control over whom you share your health conditions with.” 

This is what some people refer to as the “icky factor,” according to Grande. “There’s just some information that people have a right to keep private, and that is being seriously breached by the world of digital tracking,” he added.

Cookies are text files that remember data such as your username and password or what’s in your shopping cart. Such information can go out to advertisers and data brokers. Many websites now offer you the option to decline cookies. 

This consent addition is partly due to sites complying with requirements set out in the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). 

But the effect of these notices is marginal, according to McCoy. “Sure, you can disable a few more cookies than you would have without the advent of these kinds of messages, but how many notices do you encounter during a half-hour browsing session—20 or something? I think most people just get consent-notice fatigue and they start hitting ‘ok,’” he added. 

There are other ways to delete cookies and minimize tracking, such as installing a cookie block extension on your browser or using a search engine like DuckDuckGo. But these efforts can interfere with the smooth functioning of a site. “For example, if you decide you want to remain logged out of your map software, then you have to plug in addresses every time you go there, and the technology becomes clunky to use,” Grande said. “It is hard to function and fully participate in our modern economy if you truly don’t want to be tracked.”  

Moreover, experts question why the onus for privacy protection should land on individuals. “Web browsers and web pages should operate with those protections baked in,” said Sara Geoghegan, Counsel to the Electronic Privacy Information Center (EPIC), a nonprofit that advocates for stronger privacy regulations. 

Two different federal agencies regulate online health privacy. The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) oversees HIPAA. At the same time, the Federal Trade Commission (FTC) has the authority to protect personal health data, especially under its mandate to regulate unfair and deceptive trade practices. In recent years, both agencies have become more aggressive about privacy protections.   

In December 2022, the OCR issued a ruling that HIPAA is relevant to parts of health care websites that are not necessarily connected to direct patient care. “This guidance says that if a hospital website has tracking, particularly tracking on patient-facing disease-specific pages, that constitutes a HIPAA violation,” Friedman said. “HIPAA rules would potentially apply to a vast number of third-party data transfers which is a big change in the landscape.” 

The American Hospital Association has sued HHS over the new rule, and it is not clear if any hospitals have changed their practices. But even without a push from the OCR, hospitals are obligated to conduct audits of third-party tracking on their sites and to keep data transfers to the absolute minimum, argue Friedman and others. 

The FTC has also gone on the offensive. Last year, for the first time, the FTC mounted a privacy enforcement action under its Health Breach Notification Rule. The discount drug provider Good Rx Holdings, Inc. agreed to pay a $1.5 million fine for its unauthorized disclosure of consumers’ personal health information to Facebook, Google, and other companies. “Also, the FTC has taken enforcement action against two large data controllers,  X-Mode and  InMarket Media, for selling sensitive location data, and fined the British software company Avast Limited for transmitting browsing data,” said EPIC’s Geoghegan. 

The recently announced American Privacy Rights Act (APRA) would increase the FTC’s enforcement capabilities. The bill, cosponsored by U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep Cathy McMorris Rodgers (R-WA), creates a comprehensive framework that would require most large firms to tell consumers what data they collect, let them correct and delete data, and provide ways for anyone to opt out of targeted ads.

“It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent,” said Chair Rodgers in a release.

The bill would also supersede the patchwork of at least 15 state laws that now exist. Many of these laws lack teeth, according to EPIC. The California Consumer Privacy Act, however, is considered the toughest in the nation. In 2022, opposition by the California congressional delegation—including then-Speaker of the House Nancy Pelosi’s refusal to bring the American Data Privacy and Protection Act to the floor—killed that federal bill.

The latest proposal provides many more exceptions to overriding state laws, though its fate is uncertain in a Congressional session known for its lack of productivity. And notably the bill hasn’t been formally introduced. The co-sponsors are currently sharing a “discussion draft,” in search of a bipartisan consensus.   


Nancy Stedman


More on Population Health