Privacy Risks Identified in Websites Used to Deliver Opioid Addiction Treatment and Recovery Services

By | November 25, 2022

An alarming number of websites used to deliver opioid addiction treatment and recovery services contain data sharing and privacy risks, according to a new report from the Opioid Policy Institute (OPI) and Legal Action Center (LAC). Addiction treatment and recovery services are increasingly delivered online and via mobile apps, with the websites handling multiple functions. They are used to communicate with patients, conduct telehealth visits, enroll and screen patients, and receive referrals.

All websites that collect patient data need to have robust privacy and security controls in place, but this is especially important for websites used to deliver opioid addiction treatment and recovery services due to the stigma associated with drug addiction and the potential for discrimination against people with substance use disorders. Concerns about confidentiality frequently rank among individuals’ most common reasons for not seeking substance use disorder treatment.

At the federal level, HIPAA and other privacy laws have strict requirements for ensuring the confidentiality of patient information and many providers of substance use disorder treatment services operate on the central promise of anonymity, yet the privacy and security of the websites used by providers of these services have not been well studied. OPI and LAC teamed up for the study and analyzed the websites of 12 virtual care platforms over a period of 16 months using the Blacklight tool developed by The Markup to assess the privacy protections on websites, which in June 2022 received an average of 57,000 visits. The Blacklight tool was used to assess a variety of data collection practices, including ad trackers, third-party session cookies, session recording, keylogging, and third-party tracking code such as the code snippets provided by Google (Analytics) and Meta (Pixel).

While it was not possible to determine exactly what data was collected by the websites or determine how the collected data was used, all websites consistently used tools over the 16-month observation period that had the capability to collect and transmit sensitive information and all websites has issues that put patient privacy at risk. All 12 websites used ad trackers that were able to identify the individuals who visited the websites, with 11 of the 12 sites using third-party cookies that allow individuals visiting the virtual care platforms to be tracked across the Internet.

During the 16-month period, around half of the websites used Metal Pixel tracking code. The Meta Pixel code snippet is used to track visitor activity on websites to measure preferences and trends to improve the user experience; however, the code snippet can capture sensitive data and transmit it to Meta. This year, dozens of health systems were found to have added the code to their websites and patient portals, which transmitted sensitive patient data to Meta without consent. In some cases, the information transferred was allegedly used to serve individuals with targeted ads related to their health conditions. Meta has a policy that requires users of Meta Pixel not to share sensitive information such as healthcare data, but many healthcare providers were found to have transmitted patient data to Meta. In this study, four OUD mHealth websites were discovered to have sent identifiable information to Meta.

10 of the 12 websites used Google Analytics on their website, despite Google having a policy that the code should not be used to collect personally identifiable information or protected health information. All 12 websites used advertising, with at least some data sent by all 12 companies to ad tech firms that buy and sell user data for advertising purposes. The researchers note that over the course of the 16 months, the use of trackers on the websites generally increased. Despite the data sharing and privacy risks identified on the sites, these OUD websites generally marketed themselves as private, secure, and 100% confidential.

“In order to fulfill their promise of expanding access to quality care, virtual care platforms for OUD treatment and recovery should also meet or exceed the privacy and security standards for in-person care,” write OPI and LAC. “By shining a light on these issues, we hope that legislators and other policymakers take necessary measures to protect individuals who need treatment and recovery support.”

The post Privacy Risks Identified in Websites Used to Deliver Opioid Addiction Treatment and Recovery Services appeared first on HIPAA Journal.