The Health Insurance Portability and Accountability Act (HIPAA) sets strict guidelines to protect patient information, including how tracking technologies are used on websites and mobile applications. Understanding how these rules apply, whether on pages where users log in or on public-facing sites, is beneficial for healthcare organizations looking to protect sensitive data while improving user experiences.
HIPAA was designed to secure the privacy of health information, applying to covered entities such as healthcare providers, health plans, and their business partners (business associates). The law establishes standards for safeguarding electronic protected health information (ePHI), making it important for organizations to understand how tracking technologies like cookies and analytics tools fit into this regulatory framework.
Tracking technologies include tools that collect data about user activity, from simple cookies to more complex scripts and analytics software. These tools provide valuable insights into user behavior, which can help improve websites and mobile apps. However, they also introduce risks, particularly concerning the unauthorized sharing of ePHI. When deploying tracking technologies, healthcare organizations should make sure they meet HIPAA standards.
Related: Is online tracking HIPAA compliant?
HIPAA compliance requirements for tracking technologies can vary depending on whether a web page requires users to log in or not. User-authenticated pages, where users access personal health information (PHI), must strictly follow HIPAA rules, including obtaining explicit consent for any use of tracking data that goes beyond direct patient care. For unauthenticated pages—those accessible without login—HIPAA does not explicitly require written consent for tracking, but organizations still need to be cautious to ensure that no PHI is unintentionally collected or shared.
As tracking technologies become more common in healthcare, the implications for HIPAA compliance grow. Different tools pose unique risks. For example:
The main risk associated with these technologies is the possibility of unauthorized disclosure of PHI, which can lead to data breaches. With the rise in cyber threats, organizations need to be vigilant about monitoring how tracking technologies are used to stay compliant with HIPAA regulations.
Read also: Can healthcare professionals use online tracking while remaining HIPAA compliant?
To manage HIPAA compliance in a digital environment, healthcare organizations should adopt a few practices:
When healthcare organizations work with third-party vendors that use tracking technologies, they must establish a business associate agreement (BAA). A BAA outlines how PHI will be protected, specifying permissible uses, security measures, and the vendor’s obligations under HIPAA. It’s not just about having an agreement in place—doing thorough due diligence on vendors beforehand is also necessary, as is ongoing monitoring of their compliance with the BAA’s terms.
Read more: What is a business associate agreement
Analytics tools like Google Analytics or Facebook Pixel are popular for understanding user behavior, but they can raise HIPAA compliance concerns. Since many of these tools are not built to handle ePHI in a compliant manner, using them on healthcare websites or apps can be risky.
Data collected by analytics tools could be inadvertently shared with third parties, potentially leading to HIPAA violations. Organizations may also have limited control over how vendors manage the data they collect. To reduce risks, healthcare providers must be cautious about which analytics tools they use and ensure that any collected data does not include ePHI.
Mobile apps add another layer of complexity to HIPAA compliance. Apps often collect health data, location information, and other personal details, which can be classified as ePHI under HIPAA. Protecting this data requires strong security measures, including user authentication and data encryption during transmission. Organizations should also prioritize regular updates and security patches for mobile apps to address vulnerabilities.
Technology can be a valuable ally in maintaining HIPAA compliance. Automated monitoring tools can measure how frequently tracking technologies are used across websites and apps, flagging potential compliance concerns. Data loss prevention solutions can also help detect unauthorized data transmissions and stop them before they lead to breaches.
See also: Data loss prevention in healthcare
Ensuring HIPAA compliance when using tracking technologies often requires input from multiple departments. Legal, IT, and compliance teams should work together to implement compliant tracking solutions and establish policies that protect patient data. Effective communication and joint planning across these teams are beneficial for creating strategies that align with HIPAA standards.
An enforcement action taken by New York Attorney General Letitia James showed the potential risks associated with online tracking tools in healthcare. On December 27, 2023, New York Presbyterian Hospital (NYPH) reached a $300,000 settlement agreement with the Attorney General's office for violating HIPAA regulations.
The investigation revealed that NYPH used advertising tools on its website to collect and share PHI with third-party tech companies without patients' knowledge or authorization. This unauthorized sharing of sensitive health information compromised patients' privacy and violated their rights under HIPAA.
On March 18, 2024, the Department of Health and Human Services' Office for Civil Rights (OCR) updated its guidance for HIPAA-covered entities regarding online tracking technologies. The update came in response to criticism and legal challenges, including a lawsuit filed by the American Hospital Association (AHA) and other healthcare organizations in November of the previous year.
The release of the OCR guidance on the use of online tracking technologies matters because it directly impacts how HIPAA-covered entities, including hospitals and health systems, manage and protect patient information in the digital age. The guidance strives to ensure that tracking technologies, such as cookies, pixels, and mobile app trackers, do not lead to unauthorized disclosures of PHI, which could harm patient privacy and confidentiality.
Read more: OCR updates guidance on online tracking for HIPAA entities
The Health and Human Services (HHS) has updated its guidance on online tracking. It makes clear that, in its basic configuration, you cannot have Google Analytics anywhere on your site that could expose both PHI and individual identifiers.
Information such as an individual's medical record number, IP address, appointment dates, or geographic location are considered PHI under HIPAA if they relate to the individual's past, present, or future physical or mental health or condition, provision of healthcare, or payment for care.
Online tracking technologies include cookies, web beacons, tracking pixels, and mobile app trackers used to collect and analyze how users interact with websites and applications, potentially including the collection of PHI.
PHI can only be shared with tracking technology vendors under circumstances that are expressly permitted or required by the HIPAA Privacy Rule, and such vendors may qualify as business associates requiring a BAA.