Is online tracking HIPAA compliant?

Online tracking poses a serious risk to the privacy and security of protected health information. With the recent calls for improved federal privacy regulations regarding online tracking and the rise in cases of compromised PHI, understanding the risks posed helps avoid liability. 

What is online tracking?

Online tracking, or ad tracking, refers to monitoring and recording user interactions with advertisements and marketing campaigns. Online tracking gathers data to measure the success of advertising efforts, optimize campaigns, and improve targeting strategies.

This typically involves tracking technologies embedded within ads or websites, such as cookies, pixels, or software development kits (SDKs). The specific data collected varies based on the tracking technology and the purpose of tracking.

There is, however, the use of third-party trackers or cookies, which are embedded into websites or apps by external companies that are separate from the website or app owner. These operate like any ad tracker but are seldom given explicit consent by the user or run in the background, collecting data without the users' knowledge. 

Can healthcare professionals use online tracking while remaining HIPAA compliant?

Tracking technologies collect information through cookies, web beacons, session replay scripts, fingerprinting scripts, and mobile app identifiers. These are considered sensitive patient data, and as such online tracking should be done in a way that respects patient privacy, maintains data security, and complies with HIPAA regulations. 

There are methods of ensuring that ad tracking can be used in a HIPAA compliant way. The Office for Civil Rights set out the guidelines for the use of online tracking technologies by covered entities and their business associates.

The guidelines state, "Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules."

Other guidelines include the following:

1. Privacy Rule compliance: Disclosure of PHI to tracking technology vendors is explicitly permitted by the Privacy Rule however, discretion must be exercised. 
2. Authorizations and validity: Recognize those website banners seeking users' acceptance or rejection of tracking technologies, like cookies, do not constitute valid HIPAA authorizations.
3. Vendor compliance: Simply agreeing to remove PHI or de-identifying it before the vendor saves the information is insufficient. 
4. Establishing business associate relationships by signing a BAA: The vendor must meet the business associate definition to be considered as such. The Business Associates Agreement (BAA) must specify the vendor's permitted and required uses and disclosures of PHI. 

Related: 98.6% of hospitals use tracking that puts patient privacy at risk

Best practices for implementing ad tracking while maintaining HIPAA compliance

1. Ensuring proper patient consent and disclosure practices: Upholding patient privacy starts with obtaining explicit consent before disclosing any PHI to tracking technology vendors. 
2. Security measures for data protection: This includes ensuring encryption protocols during the storage of data sent to tracking technology vendors. 
3. Employ a HIPAA compliant third party: When using third party trackers, confirm they have adequate security measures to safeguard PHI and are HIPAA compliant. 
4. Staff training and education on HIPAA regulations and ad tracking practices: Regulated entities must equip their teams with thorough training and education on HIPAA regulations and the responsible use of tracking technologies. Ensuring that staff members are well-versed in Privacy, Security, and Breach Notification requirements, as well as the significance of patient consent, minimum necessary disclosures, and data security.
5. Sign a BAA: When sharing PHI with any vendor, a BAA is required to ensure compliance. 

The role of ad tracking in HIPAA violations

Federal privacy regulations inadequately address the issue of ad tracking and HIPAA violations. While they set out the obligations of a healthcare professional using ad trackers, there are still regular cases of HIPAA violations and breaches due to the sale to or use of third party trackers on healthcare websites containing patient data. 

Go deeper:

Cases such as the Federal Trade Commission penalizing BetterHelp and the subsequent lawsuits alleging that the Meta Pixel tracking tool violates HIPAA prove that the measures to regulate ad tracking are not sustainable for protecting patients and healthcare professionals. 

Related: HIPAA Compliant Email: The Definitive Guide