Is there a small piece of code on your website that sends tracking information to a third party? You may be putting yourself in danger by leaving that code on your site. 

Over the past three years, many healthcare organizations and business associates have embedded tracking pixels in their applications that may have transferred sensitive patient data to tech giants such as Google, Meta, TikTok, and others. 

While these pixels are commonly installed for analytics or advertising purposes, we’ve seen more and more problems occur where pixels gain access to data that should be protected under HIPAA law. Some providers have been unintentionally sharing electronic protected health information (ePHI) with these third parties, which has resulted in HIPAA security and privacy breaches.

Breaches

For example, in January of this year, telehealth company Cerebral admitted that it “had disclosed certain information that may be regulated as protected health information under HIPAA to certain third-party platforms and some subcontractors without having obtained HIPAA-required assurances,” through the use of these tracking pixels. 

The first HIPAA breach in this relatively new category was reported to the HHS in October of 2022 by a large midwestern health system and involved 3 million patients. The second came right on its heels later that month and impacted 500,000. This sparked an animated conversation surrounding the potential dangers of these tracking pixels that so many providers had installed without thinking twice. 

OCR Response

In December of last year, the OCR released a bulletin to highlight healthcare organizations’ requirements under HIPAA regarding different forms of online tracking. This bulletin stated that the insights gathered by tracking technologies “could be used in beneficial ways to help improve care or the patient experience. However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.” 

The OCR proceeded to lay out the obligations of providers regarding the use of third-party tracking scripts or codes. All covered entities must comply with the HIPAA rules when using pixels, including:

Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.” 

Tracking technology use must be included in the organization’s privacy policy, but that alone does not allow them to share the information. If there is no business associate agreement in place with the third party, then the patient must authorize any data sharing before it is disclosed. 

It is also interesting to note that although Meta states in its terms and conditions that it “has policies and filters that block sensitive personal data from being incorporated into its advertising programs and does not use any such information,” HHS stresses that “it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.

You can read the full bulletin here. 

There is a lot of utility in these tracking tools for understanding your patient’s online journey and preferences, but you need to make sure that no protected health information is being sent to an unauthorized user or company.

From OCR Director Melanie Fontes Rainer: “Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patient’s health information when using tracking technologies.”

Takeaways

What’s the takeaway? Make sure that neither you nor the business associates you work with fall victim to one of these breaches, by removing tracking pixels that share data with other entities from your website and applications. Encourage your employees and partners to be diligent in removing these pixels when found, and preventing additional trackers from being installed. 

If you have questions about how to ensure your patients’ data is safe from online tracking, please reach out to your team at Medcurity. We’re here to help you with HIPAA compliance so that you can focus on providing the best patient care.