Hospitals face the problem of protecting personal data: starting right with websites

Decree 13 on personal data protection has posed a series of issues for Vietnamese businesses that need to be resolved. However, it seems that people are paying attention to the finance and banking sector, and opinions about compliance with Decree 13 mostly come from this industry. Meanwhile, sensitive personal data related to the medical industry such as health status, genetic characteristics or sex life… of individuals has not received much attention.

According to Circular 46/2018/TT-BYT regulating electronic medical records issued by the Minister of Health, in the period from 2024 – 2028, all Medical examination and treatment facilities nationwide must deploy electronic medical records; In case the health care facility has not been able to implement it, it must report to the affiliated management agency. The written report must clearly state the reason and roadmap for implementing electronic medical records but must be completed before January 31. December 2030. The nationwide implementation of electronic medical records will expose hospitals to major challenges in protecting personal and sensitive personal data. But before that, websites with the ability to book medical appointments were also a big problem because of the presence of user tracking technologies to serve advertising.

A study conducted in 2021 looking at the websites of 3,747 hospitals in the United States found that 98.6% of hospitals used at least one type of code tracking on their website to transfer data to third parties. A 2022 analysis of the websites of the top 100 US hospitals (as listed by Newsweek in the US) by The Markup/STAT revealed that one-third of those hospitals used technology tracking on their websites to transmit data about visitors, including protected health information (PHI), to third parties. That technology, called Meta Pixel, sends Facebook a packet of data whenever a person clicks a button to schedule a doctor’s appointment. Data connected to an IP address – an identifier that resembles a computer’s mailing address and can often be linked to a specific individual or household – creates a strong link about appointment request for Facebook.

For example, on the University Hospitals Cleveland Medical Center website, clicking the “Schedule Online” button on the doctor’s page caused a Meta Pixel to be sent to Facebook content of the command button, doctor’s name and search term used to search: “Pregnancy termination”.

Clicking the “Schedule online now” button for a doctor on the website of Froedtert Hospital, in Wisconsin, caused Meta Pixel to send Facebook the button’s content , doctor’s name, and condition selected from the drop-down menu: “Alzheimer’s disease”.

The Markup also found Meta Pixel installed inside the password-protected patient portals of seven health systems. Across five pages, they found that Pixel sent data to Facebook about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. This is a crowdsourced project in which anyone can install Mozilla’s Rally browser add-on to send Meta Pixel data as it appears on the websites they visit. . The data sent to hospitals includes the name of the patient’s medication, a description of their allergic reaction, and details about their upcoming doctor’s appointments.

Regulators, health data security experts and privacy advocates reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities such as hospitals from sharing personally identifiable health information with third parties such as Facebook, unless an individual has provided express consent in advance or under some contract definitely.

Neither the hospital nor Meta said they had such a contract, and The Markup found no evidence that the hospital or Meta were obtaining express consent of the patient.

David Holtzman, a health privacy consultant who served as senior privacy advisor to the U.S. Department of Health and Human Services said: “I extremely worried about what [hospitals] are doing with their data collection and sharing that data.” The Department of Health and Human Services, which enforces HIPAA, said it was likely a HIPAA violation.

After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “in an effort to avoid risks,” said Steve Schooff, publisher hospital spokesperson, wrote in a statement.

A spokesperson for University Hospitals Cleveland Cleveland Medical Center did not respond to The Markup’s questions but said in a brief statement that the hospital “ comply with all applicable federal and state laws and regulations.”

As of June 15, 2021, six additional hospitals had also removed the Pixel from their appointment pages, and at least five of the seven health systems had installed it. place Meta Pixels in their patient portal with the Pixel removed.

The 33 hospitals that The Markup found sending patient appointment details to Facebook reported a combined total of more than 26 million hospital admissions and outpatient visits last year. 2020, according to the most recent data available from the American Hospital Association. The Markup’s investigation was limited to just over 100 hospitals; data sharing can affect many more patients and organizations than that.

Facebook itself is not subject to HIPAA, but experts interviewed for this story expressed concerns about how the advertising giant might use health data. personal health that they collect for profit purposes.

Nicholson Price, a University of Michigan law professor who studies big data and health care, said: “This is a classic example of how exactly how Big Tech’s tentacles reach into what we think of as the protected data space. I think this is scary, problematic and potentially illegal” from the hospitals’ perspective.

The Markup cannot determine whether Facebook uses the data to target ads, train its recommendation algorithms, or profit in other ways.< /span>

Facebook’s parent company, Meta, did not respond to inquiries. Instead, spokesman Dale Hogan sent a brief email explaining the company’s sensitive health data policy.

“If Meta’s signal filtering system detects that a business is sending potentially sensitive health data from their app or website through the use of using Meta Business Tools, which in some cases may occur in error, such potentially sensitive data will be deleted before it can be stored in our advertising systems.” , Hogan wrote.

Meta did not respond to follow-up questions, but Hogan appeared to be referencing a sensitive health information filtering system the company launched in July. 2020 in response to a Wall Street Journal article and an investigation by the New York Department of Financial Services. Meta told investigators that the filtering system “still does not operate with complete accuracy,” according to a February 2021 final report by the New York Department of Financial Services.

Markup cannot confirm whether any data referenced in this story was in fact deleted before being stored by Meta. However, a recent joint investigation with the Reveal news site of the non-profit organization The Center for Investigative Reporting (USA) showed that Meta’s sensitive health information filtering system does not block information about appointments that a reporter asked of centers to persuade women not to have abortions.

Internally, Facebook employees have been blunt about how good or bad the company is at protecting sensitive data.

“We do not have a full level of control and accountability over how our systems use data, and therefore we cannot confidently make controlled policy changes or external commitments such as ‘we won’t use X data for Y,’” Facebook engineers in the advertising and business products teams have wrote in a 2021 privacy overview that was leaked to Vice Media Group.