The Health Insurance Portability and Accountability Act (HIPAA) has long served as a cornerstone in protecting the privacy and security of individuals’ health information. As digital technology continues to evolve, so do the ways in which health data can be collected, shared, and potentially exposed. Recently, there have been significant updates concerning the use of online tracking technologies—such as cookies, web beacons, and pixels—particularly when used by HIPAA-covered entities and their business associates. These updates clarify how existing HIPAA regulations apply in the digital landscape, emphasizing the need for transparency, patient consent, and robust safeguards when handling protected health information (PHI) online.
These updates may be good news for healthcare
A federal judge in Texas ruled that the use of third-party online tracking technologies on hospitals’ public-facing web pages was unlawful. District Judge Mark Pittman in Texas sided with the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in his ruling that found the Department of Health and Human Services overstepped its authority with the 2022 guidance.
The lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority. Also, it calls for the portion of OCR’s guidance addressing unauthenticated web pages to be invalidated.
This past March, HHS updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for protected health information (PHI) disclosures. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in his ruling.
Keep in mind, this milestone verdict comes from hospitals and larger entities rather than small to medium sized practices. Whereas, they have more financial strength.
HHS / OCR back tracks and updates guidance
On March 18, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released updated guidance on the use of online tracking technologies by HIPAA-covered entities and their business associates. This update clarifies how HIPAA applies to tools like cookies, pixels, and web beacons used on websites and mobile apps.
Key Points from the Updated Guidance:
- Definition of PHI in Online Tracking: OCR emphasizes that individually identifiable health information (IIHI) collected through tracking technologies is considered protected health information (PHI) under HIPAA. This includes data such as IP addresses, device identifiers, and browsing behavior when linked to an individual’s health care or payment for health care. Even if the individual does not have an existing relationship with the entity, such information is still regarded as PHI.
- Use on Authenticated and Unauthenticated Webpages: The guidance distinguishes between authenticated webpages (requiring user login) and unauthenticated webpages. For authenticated pages, any tracking technology that collects PHI must comply with HIPAA regulations. For unauthenticated pages, if the information collected can be linked to an individual’s health care or payment, it is also considered PHI.
- Business Associate Agreements (BAAs): Disclosing PHI to third-party tracking technology vendors without a valid HIPAA authorization or a business associate agreement (BAA) is considered a HIPAA violation. Entities must ensure that any sharing of PHI complies with HIPAA’s Privacy Rule requirements.
- Enforcement and Compliance: OCR has indicated that it will prioritize compliance with the HIPAA Security Rule in investigations related to online tracking technologies. Covered entities are advised to conduct thorough risk assessments, train staff, and implement appropriate technical safeguards to ensure compliance.
This updated guidance underscores the importance of safeguarding PHI in the digital realm. HIPAA-regulated entities must carefully assess their use of online tracking technologies, ensuring compliance with privacy regulations to protect patient information.
Google Analytics
Removing Protected Health Information (PHI) from Google Analytics is a critical step for HIPAA-covered entities to ensure compliance with privacy regulations. Since Google Analytics is not a HIPAA-compliant service and does not sign Business Associate Agreements (BAAs), any transmission of PHI through its platform constitutes a HIPAA violation. To avoid this, organizations must take proactive measures to prevent PHI—such as names, IP addresses, medical conditions, appointment details, or any data that can be tied to an individual’s health—from being captured by tracking scripts. This often involves disabling data collection on sensitive pages, using robust filtering techniques to scrub URLs of identifiable information, and configuring analytics tools to anonymize IP addresses and exclude user-specific identifiers.
By auditing their tracking implementations and employing privacy-centric alternatives, healthcare organizations can maintain valuable analytics insights without compromising patient privacy.
Analytics Alternatives
There are some Google Analytics alternatives, but not all of them give prices. When searching for these services, be very careful. Nefarious characters are going to try and trick you into offering a too good to be true service. Criminals are looking for new ways to gain access to patient data.
Let us know if you would like us to review any particular service or if you have any questions. We are here to help!
Feel free to share this article with your colleagues. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you on every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”