Common online tracking technology that could lead to a HIPAA violation should be at the top of all healthcare providers to “know” list.
I probably sound like a broken record by now, however, this is a VERY important topic! Many states are implementing their own set of privacy rules and using online tracking is dangerous in healthcare.
Here is a refresher on what is online tracking technology. Tracking technology collects data from website visitors and many times, follows that visitor around the internet. They serve an important purpose for the website owner. It can give them useful information about what a visitor is looking for, how long they stay on a page, and where they go after they leave your site. In the business world, that sounds harmless. Marketers are just trying to make websites more appealing and increase revenue. In the healthcare field, that can be considered a HIPAA violation. Most medical practices do not even know these trackers on their website. It is extremely important to audit your website and make sure the company you utilize for maintaining your website, marketing, and hosting understands HIPAA.
There are dozens of trackers, but we will cover the most common that we have encountered:
Google Analytics
Google Ads
Google Maps
HotJar
HubSpot
YouTube
Vimeo
TheTradeDesk
The most common of all trackers is Google. They have a few different “versions”, like Google Analytics, Google Ads, and Google Maps. You need to understand how this works because they all can lead to problems because these trackers are not HIPAA compliant. Google Analytics collects personal identifiers about your website visitors by default. Google ads follow visitors around the internet. If you find “doubleclick” in any part of a URL, that is also related to Google ads! There are others, but this is the most common marketers use to track sales conversions. Google maps, of course tracks where the visitor is located to take them to your location. This could be a violation if this is located on the same page as a scheduler or portal. You may be in the clear if there isn’t any other health information located on that page. Caution should be used when using Google maps. Many practices simply write out directions from common intersections or nearby towns.
Please note that even if the individual that visits your website is NOT a patient, the OCR considers them as a potential patient and may become a patient at some point in the future, and therefore their data could be considered PHI. The OCR and the FTC have specifically stated that Google Analytics and Google Ads can cause HIPAA violations. You will need to remove the information that is collected BEFORE it is shared with Google, or you must utilize a third-party to prevent Google from having access.
Hotjar is a Google competitor and states they are easier to use. They offer two types of analytic tools. Heatmaps and session recordings. They offer a “free” version, but remember when a service is free, you are usually the item for sale. Although they promote that they do not collect IP addresses and emails, it is unclear if they collect any other personal data. They advise new users to login into their Google account to get started, so that is a red flag for us.
HubSpot is popular because it is a CRM that is linked to your website. They state they have robust security in place, but they will not sign a BA agreement. Therefore, they are not HIPAA compliant. Their terms of service state that healthcare entities should NOT use HubSpot. We have read that it can be made HIPAA compliant, but this would still put you on notice with the OCR and FTC.
Since Google owns YouTube, this is another platform that sends out alarm bells. Many practices use video on their website that is hosted on YouTube. This could contain PHI and then YouTube would have access to personal identifiers. Unfortunately, this also means you are sharing PHI with Google. Again, this is a HIPAA violation. You may be able to have the patient sign an authorization that details what information is going to be shared and explain, even if they decide later, they want it removed, the original information may be retained online indefinitely. This is a slippery slope though.
Speaking of videos, this brings me to Vimeo. This is another video hosting platform. They have several “versions”, so just be aware of any URL that has Vimeo in it. Keep in mind these embedded videos collect user information, same as YouTube and shared with Vimeo. The same precautions must be applied.
If you must use videos, it is recommended to find an alternative hosting platform that will sign a BA agreement. I know this could be a long process, but you need to be sure patient data is not being shared!
Facebook is another one we have seen a lot on medical websites. They are another entity known to share information across multiple platforms. Meta, who is the parent company of Facebook, uses a Pixel as their tracking device. The “Meta Pixel” is a small code that is used to track information across Facebook and Instagram, and any other systems they choose. Have you ever been on one platform, only to see Ads on another about something you watched or read? Meta pixels track visitor actions, and this helps put ads in front of similar visitors to improve advertising conversions. The OCR and FTC have also named Meta/Facebook as being non-compliant.
LinkedIn has been known to be a professional platform. Many healthcare providers have chosen to have a presence on LinkedIn over Facebook. They too use trackers; this one is called the “Insight Tag”. They have several different URLS, but they all use trackers. This tracker has the ability to follow LinkedIn users on your website and monitor what pages are viewed and if any actions are taken. Originally, this was intended for visitors looking for a job. If this is placed properly, and no health information is located on that page, this is a low risk of a violation. Make sure this tracker is not located on your entire website. This tracker works like the rest of social media trackers and puts you at risk of violations if not installed properly.
TheTradeDesk tracker is difficult to spot since some of their URLS do not use this name. Watch for adsrvr in the URL. They call their tracker the “Universal Pixel” since it allows advertisers to target users on digital platforms, streaming devices, and podcasts. This platform collects a lot of data from your website! This includes demographics, browsing history, and even conversion stats. This all can lead to PHI being shared with them. It is not recommended to use this platform if you are a healthcare provider since they can load other ad pixels randomly on your website. This can put your practice at even more of a HIPAA violation.
None of these platforms will sign a Business Associate Agreement (BAA). I have heard of a company that can help with all of this, but they are not affordable for many providers. If you would like information about them, please contact us. I will continue to search for alternatives so you can still market your practice without fear of HIPAA violations. Until then, we recommend removing all trackers.
Let us know if you would like us to check your website. Feel free to share this information with your colleagues. We want to help as many practices as we can since the fines can be devastating. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
