Common Online Tracking Technology that Could Lead to a HIPAA Violation

Common online tracking technology that could lead to a HIPAA violation should be at the top of all healthcare providers to “know” list.

I probably sound like a broken record by now, however, this is a VERY important topic! Many states are implementing their own set of privacy rules and using online tracking is dangerous in healthcare.

Here is a refresher on what is online tracking technology. Tracking technology collects data from website visitors and many times, follows that visitor around the internet. They serve an important purpose for the website owner. It can give them useful information about what a visitor is looking for, how long they stay on a page, and where they go after they leave your site. In the business world, that sounds harmless. Marketers are just trying to make websites more appealing and increase revenue. In the healthcare field, that can be considered a HIPAA violation. Most medical practices do not even know these trackers on their website. It is extremely important to audit your website and make sure the company you utilize for maintaining your website, marketing, and hosting understands HIPAA.

There are dozens of trackers, but we will cover the most common that we have encountered:

Google

Google Analytics

Google Ads

Google Maps

HotJar

HubSpot

YouTube

Vimeo

LinkedIn

TheTradeDesk

The most common of all trackers is Google. They have a few different “versions”, like Google Analytics, Google Ads, and Google Maps. You need to understand how this works because they all can lead to problems because these trackers are not HIPAA compliant. Google Analytics collects personal identifiers about your website visitors by default. Google ads follow visitors around the internet. If you find “doubleclick” in any part of a URL, that is also related to Google ads! There are others, but this is the most common marketers use to track sales conversions. Google maps, of course tracks where the visitor is located to take them to your location. This could be a violation if this is located on the same page as a scheduler or portal. You may be in the clear if there isn’t any other health information located on that page. Caution should be used when using Google maps. Many practices simply write out directions from common intersections or nearby towns.

Please note that even if the individual that visits your website is NOT a patient, the OCR considers them as a potential patient and may become a patient at some point in the future, and therefore their data could be considered PHI. The OCR and the FTC have specifically stated that Google Analytics and Google Ads can cause HIPAA violations. You will need to remove the information that is collected BEFORE it is shared with Google, or you must utilize a third-party to prevent Google from having access.

Hotjar is a Google competitor and states they are easier to use. They offer two types of analytic tools. Heatmaps and session recordings. They offer a “free” version, but remember when a service is free, you are usually the item for sale. Although they promote that they do not collect IP addresses and emails, it is unclear if they collect any other personal data. They advise new users to login into their Google account to get started, so that is a red flag for us.  

HubSpot is popular because it is a CRM that is linked to your website. They state they have robust security in place, but they will not sign a BA agreement. Therefore, they are not HIPAA compliant. Their terms of service state that healthcare entities should NOT use HubSpot. We have read that it can be made HIPAA compliant, but this would still put you on notice with the OCR and FTC.

Since Google owns YouTube, this is another platform that sends out alarm bells. Many practices use video on their website that is hosted on YouTube. This could contain PHI and then YouTube would have access to personal identifiers. Unfortunately, this also means you are sharing PHI with Google. Again, this is a HIPAA violation. You may be able to have the patient sign an authorization that details what information is going to be shared and explain, even if they decide later, they want it removed, the original information may be retained online indefinitely. This is a slippery slope though.

Speaking of videos, this brings me to Vimeo. This is another video hosting platform. They have several “versions”, so just be aware of any URL that has Vimeo in it. Keep in mind these embedded videos collect user information, same as YouTube and shared with Vimeo. The same precautions must be applied.

If you must use videos, it is recommended to find an alternative hosting platform that will sign a BA agreement. I know this could be a long process, but you need to be sure patient data is not being shared!

Facebook is another one we have seen a lot on medical websites. They are another entity known to share information across multiple platforms. Meta, who is the parent company of Facebook, uses a Pixel as their tracking device. The “Meta Pixel” is a small code that is used to track information across Facebook and Instagram, and any other systems they choose. Have you ever been on one platform, only to see Ads on another about something you watched or read? Meta pixels track visitor actions, and this helps put ads in front of similar visitors to improve advertising conversions. The OCR and FTC have also named Meta/Facebook as being non-compliant.

LinkedIn has been known to be a professional platform. Many healthcare providers have chosen to have a presence on LinkedIn over Facebook. They too use trackers; this one is called the “Insight Tag”. They have several different URLS, but they all use trackers. This tracker has the ability to follow LinkedIn users on your website and monitor what pages are viewed and if any actions are taken. Originally, this was intended for visitors looking for a job. If this is placed properly, and no health information is located on that page, this is a low risk of a violation. Make sure this tracker is not located on your entire website. This tracker works like the rest of social media trackers and puts you at risk of violations if not installed properly.

TheTradeDesk tracker is difficult to spot since some of their URLS do not use this name. Watch for adsrvr in the URL. They call their tracker the “Universal Pixel” since it allows advertisers to target users on digital platforms, streaming devices, and podcasts. This platform collects a lot of data from your website! This includes demographics, browsing history, and even conversion stats. This all can lead to PHI being shared with them. It is not recommended to use this platform if you are a healthcare provider since they can load other ad pixels randomly on your website. This can put your practice at even more of a HIPAA violation.

None of these platforms will sign a Business Associate Agreement (BAA). I have heard of a company that can help with all of this, but they are not affordable for many providers. If you would like information about them, please contact us. I will continue to search for alternatives so you can still market your practice without fear of HIPAA violations. Until then, we recommend removing all trackers.

Let us know if you would like us to check your website. Feel free to share this information with your colleagues. We want to help as many practices as we can since the fines can be devastating. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Patient Right of Access – what does this really mean?

Patients’ right of access has extreme consequences if they are not handled properly. It starts the moment a patient makes this request. HIPAA prohibits unreasonable measures when patients request access to their medical records.

Most practices think this request MUST be in writing. Although this is ideal, sometimes it can cause a problem when the patient is not able to come to the office. The first alternative we are thinking of is using a fax machine or an email account. What do you do if they do not have access to any of these options? One method you can use is to verify the number you have on file and call them back at that number. Then asking for the last 4 of their social security number, or another identifying information.

Keep in mind there is a time limit to this! Currently you have up to 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We do not recommend waiting until the “29th” day. You should respond as soon as possible. NOTE: We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance.

As of today, there have been 45 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K. Some of these fines were small dental practices and even cash practices for plastic surgery. The latest is $80K from UnitedHealthcare. No practice or health plan is immune!

Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

The OCR sent out ANOTHER reminder about online tracking technologies. This is the 3rd notice, and includes the letters sent to hospitals and telehealth providers. They are actively reviewing healthcare websites. They specifically state the use of Meta/Facebook pixels and Google Analytics could be a violation.

https://www.hhs.gov/sites/default/files/ocr-ftc-letters-re-use-online-tracking-technologies.pdf

If you use any online technology that collects personal identifiers, you must have a business associate agreement in place. With that said, be very careful with what you do with this information. It only takes one patient complaint to start an investigation.

If you would like us to review your website, use the contact us page.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

“Simplifying HIPAA through Automation, Education, and Support”

The OCR and FTC are investigating online tracking technologies

We wrote about this back in December 2022, but the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) has added an additional warning. The OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA. The use of online tracking technologies and HIPAA requirements must be reviewed on all medical websites.

The OCR and the FTC are cautioning providers about the privacy and security risks when utilizing online tracking technologies. These may be integrated into websites or mobile apps. Depending on how they are created and set up, these technologies may be disclosing personal health information to third parties. Tracking technologies collect and analyze information when visitors use websites or apps. Most of the time, this information is shared directly with third parties and even track the visitor when they navigate away from the website or app.

Online tracking technology can be used for good, but patients should not have to sacrifice their personal information in the process. The OCR and FTC sent letters to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of these technologies, such as the Meta/Facebook pixel and Google Analytics. These are just a couple that are known to track a user’s online activities. These tracking technologies gather identifiable information about visitors, usually without their knowledge.

The minimum necessary rule must be followed even with modern technology. This means only the minimum necessary information can be shared to complete the task, nothing more. The OCR enforces the HIPAA rules and will review all aspects of your compliance if they receive a complaint, or if you have a data breach. 

The FTC’s role in is protecting the public from deceptive or unfair business practices. This includes unfair methods of competition, promotion, research, and education. Through FTC’s recent enforcement actions against BetterHelp, GoodRx, and Premom, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. When working with a website designer or marketing group, be sure to fully vet them for their HIPAA compliance efforts. Even if they have worked with other medical practices. Being HIPAA compliant is more complicated now with all the modern technology and they must jump through the same hoops as a medical practice. Just because they say it will help you with your practice, doesn’t mean it is acceptable under the HIPAA rules. Trust but verify!

Aris Medical Solutions has an online system called the HIPAA Keeper™, to help covered entities and business associates get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about actual HIPAA fines, click on our Education tab!

HIPAA Requirements for Online Tracking from OCR

The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.

Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.

Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.

Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.

Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.

Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.

Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.

Examples of unauthenticated webpages where the HIPAA Rules apply include:

  • The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
  • However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
  • Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.

Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.

Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.

Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.

Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.

A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://hipaakeeper.com/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC