Is Your Tracking Technology Breaking the Latest HIPAA Rules?

In an era of ever-evolving technology, it’s critical for health care organizations to stay ahead of the curve. Tracking technologies can help providers and practices streamline processes and better market to – and meet — patient needs. But while such technologies can be helpful, they could also be running afoul of the Health Insurance Portability and Accountability Act (HIPAA), resulting in privacy violations and hefty fines.     

Late last year, the U.S. Department of Health & Human Services’ Office for Civil Rights issued a bulletin to set regulatory expectations for third-party tracking technology use. The main takeaway: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” 

What does this mean for you? It’s time to take a good hard look at how – and where – you’re tracking your users, whether on a website, a mobile app or another medium. If your organization is a Covered Entity under HIPAA – and if you collect any individually identifiable health information (IIHI), it is — you need to be extra careful about protecting healthcare information.  

The bad news: That’s easier said than done for many healthcare organizations who may not be too familiar with tracking technology or who don’t have their own IT/analytics team. Larger healthcare organizations have plenty of resources, but smaller practices and providers typically don’t have that luxury.  

For the latter, relying on a proven healthcare marketing partner can make all the difference in maintaining HIPAA compliance while maximizing marketing efforts. But before taking that step, let’s answer the question “What exactly is a tracking technology?” to better understand the latest HHS guidance. 

A Quick Look at Tracking Technology 

When you think of tracking technology, what’s the first thing that comes to mind? Odds are you’re thinking about cookies, pixels, Google Analytics, or something in that realm – and all those examples would be correct. With regards to the specific HHS bulletin, tracking technology is generally considered a script or code used to gather information about users as they interact with a website or app. That information is then used for different purposes like improving the patient experience or providing prospects with relevant information (like say, for a certain medical procedure or service).  

For companies who have their own internal tracking technology, sensitive information is much easier to control and protect. Third-party tracking, however, isn’t as reliable and can – and has – opened a world of privacy concerns.  

Take, for instance, the class action lawsuits filed last year against Meta that is putting their Meta Pixel tracking tool under the microscope. The tech juggernaut has been getting pummeled in court for its privacy practices, especially when it comes to protected health information.  

Researchers found the Meta Pixel on over a third of the webpages belonging to the country’s top 100 hospitals (according to Newsweek), and many of the trackers were found behind password-protected patient portals – places full of protected health information (PHI) like health history and doctor appointments. The patient-led lawsuits allege that the use of the trackers may have compromised this protected data by putting it into the hands of Google and other third-party vendors.  

 Which brings us to the one of the primary subjects of the HHS bulletin: user-authenticated web pages. 

Protected Health Information on User-Authenticated Webpages 

If your organization’s website has a patient portal or another page that requires users to log in, the Office for Civil Rights wants you to be on notice. Like we mentioned earlier, such pages are rife with sensitive data: medical record numbers, home addresses, prescription information … such information is a gold mine for hackers and others with ill intentions.  

 Proper handling of this data is essential to maintain HIPAA compliance and ensure protected information stays protected. The bulletin outlines certain steps that Covered Entities can take to meet HIPAA standards.  

  1. Configure the technology appropriately: If tracking is used on user-authenticated pages, then it should be set up in a way to allow the tech to only use and disclose PHI in accordance with HIPAA’s Security and Privacy Rules – that’s it. Of course, you need someone who knows how to do that (which your organization may or may not have).

  2. Reevaluate vendor relationships: Does your tracking technology vendor create, receive, maintain, or transmit PHI for a covered function like health care operations? Then chances are good that the vendor should be considered a Business Associate. This means the Regulated Entity (i.e. your healthcare company) must enter into a Business Associate Agreement (BAA) with the vendor to meet HIPAA compliance and protect your organization in the event of a breach.  

 Protected Health Information on Unauthenticated Webpages 

Another big focus of the HHS bulletin: unauthenticated webpages. Tracking on unauthenticated webpages is a little more complicated as it’s not readily apparent if there’s any PHI involved. But just because your website doesn’t have a patient portal, or another password-protected page, doesn’t mean you shouldn’t be cautious. Even some unauthenticated pages can transmit PHI and fall under HIPAA rules. One big example: web pages that allow someone to search for certain doctors or schedule an appointment without login credentials. Certain tracking technologies may transmit the person’s email or IP address, which is considered PHI under HIPAA.  

More Ways You Can Ensure HIPAA Compliance 

“Here’s an imaginary situation,” says Marco Alves, Wax’s Digital Marketing Director. “Let’s say an employee uses the company computer to search for cancer treatment and clicks on a hospital ad. When landing on the hospital page, this lead is ‘cooked’ and then starts to receive cancer treatment ads. We don’t know who else uses this computer or if this lead will use this computer to present the company’s decks to their clients. Another company employee using this computer will see cancer treatment ads and figure out that the employee has cancer. We didn’t receive permission to share this information.”  

That’s a big problem. 

This situation highlights the gap between HIPAA and PHI rules, notes Alves. Ideally, you should protect client or patient health information, but a lead is a potential client/patient, so leads don’t need to follow PHI rules. At the same time, when this lead becomes a client or patient, any information about this lead needs to be protected. Marketing agencies or business associates hired to run digital campaigns need access to this information to protect this data, but ad platforms let us exclude receiving our ads only – it’s quite the predicament. 

 Here are some precautions that Alves suggests for protecting information and maintaining compliance:  

  • Take care of how much data you are sharing in the URL path. 
  • Take care of how much data you are sharing in the UTM path. 
  • Use the Cookie consent plugin on the website to ask for permission. 
  • Do not use data collection forms on Ad Platforms. 
  • Do not track ads inside the patient portal. 
  • Ask for send email consent using opt-in email capture forms. 
  • When remarketing, avoid specific ads and opt for generic.  
  • Using the above example, if you need to remarket who visited the cancer treatment page, instead of showing the cancer treatment ad landing on a cancer page, substitute it for your hospital ad landing on a generic page with all treatments, including cancer. 

 As you can see, there’s a lot to navigating HIPAA and tracking technologies – that’s why you should leave it to the professionals. Instead of trying to take on this initiative yourself, consider outsourcing your digital marketing efforts to the right partner. Having a team of experts with years of experience in marketing and analytics can help relieve the burden of HIPAA compliance, so you can focus on what really matters: improving patient lives. 

At Wax, we know healthcare marketing – we’ve been doing it for over 30 years. To learn more about our digital marketing services including online tracking, fill out this form. One of our marketing monsters will get in touch soon.    

WordPress Lightbox