Healthcare and the Great Pixel Dilemma

The healthcare industry, along with some of the largest retail companies in the U.S., have come under heavy scrutiny over the last 12 months for the use of pixel technology or pixel-tracking tools. Pixel-tracking is a small piece of JavaScript code that enables tracking of visitor activity on a website. It is commonly used by hospitals and health systems, including inside password-protected patient portals.

Pixel-tracking is not new, but because of improvements in technology, ease of access, and the use and speed at which information is accurately gathered, it is heavily relied on by companies to enhance their online presence. Although companies love the technology for these reasons, use of pixel-tracking has raised serious ethical and legal concerns in the healthcare industry. 

What are pixels and how do they work?

Every person with access to the internet has been impacted by pixels, whether they realize it or not. One moment a person is shopping their favorite online retailer for a new set of golf clubs or the perfect summer dress, and the next moment that person’s social media feed or browser homepage is full of golf club and dress ads. This instantaneous ad targeting (or “re-targeting”) is possible in large part because of pixel-tracking. A pixel is a small piece of JavaScript code that allows advertisers and marketing companies to gather consumer browsing information. This information can include name, location, IP address and behavior while on a page or website.

This information serves two purposes: in-house data collection and analytics and information sharing with third parties for advertising purposes. As an in-house analytics tool, pixel-tracking provides easy access to data that can be easily manipulated, painting a refined picture of an audience or client base, thus allowing better targeting of products and services. On the other hand, pixel-tracking tools also gather information which is in turn sent or sold to third-party companies. These third parties then have information necessary to run their own targeted advertising campaigns. based on an individual’s browsing behaviors. Pixel-tracking is favored by marketing companies for two main reasons: they are efficient at data gathering and they are simple and inexpensive to use. 

Healthcare providers use pixel-tracking on their websites and patient portals to gather patient data such as general patient information, medical history, prescription usage, current ailments and illnesses, and appointment information. Used appropriately, pixel-tracking serves to drive analytic insights and decision making. Unfortunately, for some providers and patients, this is not always the case. Claims for data breaches, where personal information has been exposed, have increased dramatically over the last year. 

The use of pixel-tracking has raised major concerns regarding consumer privacy and information sharing across all industries. Despite reassurance from tech companies, there is growing public dissention regarding the use of such technology. In general, three major factors contribute to these fears: the unavoidable nature of these invisible pixels, lack of clarity surrounding what data is being collected and how it’s used, and the lack of ability to protect personal information.

Healthcare and the pixel problem

As knowledge of pixel-tracking and information sharing builds in consumer bases, the healthcare industry, like the retail industry, has seen major pushback from consumers amidst claims of privacy and consumer protection violations. Over the last twelve months, several of the largest U.S. healthcare systems have been named in class actions lawsuits related to state and federal violations of privacy protection and the use of pixel-tracking tools.

The healthcare industry, more than any other industry, has faced the greatest backlash against the use of tracking tools because it is held to the highest standards of consumer privacy by the federal Healthcare Insurance Portability and Accountability Act (HIPAA). A recent study by The Markup indicated at least 33% of the largest U.S. healthcare providers have been the victim of data breaches related to the use of pixel-tracking. Through these breaches, protected health information (PHI) along with personal identifiable information (PII) was shared directly to third-party entities. Also, PHI data, which should only be available to the first-party user, was intercepted by hackers as part of data package transfers from the user to a third-party entity. Tech companies argue that if the pixel-tracking tool is configured correctly, sensitive information is encrypted while sharing and only visible to parties with viewing permission. This may not have been the case with several data breaches, as the personal records of an estimated 5,000,000 patients were compromised resulting in several class action lawsuits. Though these lawsuits aren’t directly claiming HIPAA law violations (only governmental entities can pursue those charges in most states), the basis of the lawsuits lie in state and federal privacy laws and consumer protection, which is prompting state and federal governments to formalize its stance on pixel-tracking and develop clearer legislative design for current and future pixel use. Though the courts have yet to rule on any pixel-related cases, several healthcare systems have chosen to settle cases away from the courts in multimillion dollar settlements. 

Risk mitigation and pixel technology 

As it stands, pixel-tracking and pixel technology is lauded as a highly tunable tool affording the user several customizable safeguards to prevent sensitive information from being sent to third parties while maintaining integrity as an analytics super tool. These tools can add immense value to any organization required to handle the massive amount of data associated with patient care. 

The question must be raised, is there a place for such technology to operate both ethically and legally in the healthcare space? If the answer is yes, how does the healthcare industry, as well as other industries, take advantage of the benefits provided by this technology and successfully mitigate the risk associated with its use? To start, some state governments are leading the initiative and require as part of state law that websites use pop-up windows asking customers whether they want to allow cookies or other tracking devices such as a pixel. 

At the organizational level, there are several preventative and corrective measures healthcare entities can follow to protect their practice and their patient base. 

1.  Consult your broker to review your cyber insurance policy and discuss potential coverage concerns or exclusions, potential regulatory fines, penalties and wrongful collection coverage options.
 

2. Review websites to identify all third-party tracking tools and confirm the data collected complies with privacy laws. 
 

3. Hire a cybersecurity firm to set up security measures to restrict the depth of data exposure to hackers or third-party tools.
 

4. Disable pixels and third-party tracking tools from pages accepting PHI information from patients and consumers.
 

5. Ensure your website privacy policy is clear and provides the option to “opt-in” to tracking in cases where you must deploy tracking tools.
 

6. Develop a process to vet and approve third-party tracking, including IT security and legal measures.
 

7. In cases where a third-party tracking tool is installed, run simulation tests on everyday website activities to ensure data is appropriately collected and transmitted.

It is important for each individual entity to evaluate where the use of pixel-tracking fits into its business plan and its service to patients. It may not be the time for complete abandonment of the technology, but instead, an opportunity for a deeper focus on proper planning and transparency and a dedication to more robust loss control systems and effective protocols.