Industry Insights with Andrew Mahler, Vice President of Privacy and Compliance, Clearwater

Electronic Healthcare Records , Governance & Risk Management , Healthcare

Minimizing Privacy Risk From Web Tracking Technologies

7 Tips to Reduce Risk to Patients, Beneficiaries and the Organization

As healthcare becomes increasingly interconnected, web tracking is easy to overlook but could introduce additional risks to patient privacy.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

Officially known as "tracking cookies," these snippets of code are embedded on many websites and used to track and collect data on website visitors. This data helps organizations deliver better consumer experiences, define custom audiences and analyze website conversion.

In healthcare, tracking cookies offer similar benefits in helping organizations - whether covered entities or business associates - deliver custom patient experiences, which drive increased patient engagement, better outcomes and higher patient satisfaction.

But this technology can also put patient data at risk.

Patient Data at Risk

In 2022, The Markup, a nonprofit newsroom that investigates how large organizations use technology, took a close look at the websites on Newsweek's list of the top 100 hospitals in America.

The investigation uncovered that 33 hospitals had used a website tracking technology called Meta Pixel and unknowingly sent patient information to Facebook.

Even more shocking may be that at least seven hospitals also had this tracking technology installed in their patient portals. HIPAA specifies that covered entities can't share personal identifiable information, or PII, with third parties without written consent or unless it is part of a contractual agreement.

What makes this situation especially complex and troubling is that the healthcare organizations themselves may not have been aware that the Meta Pixel tool had been embedded in their website and/or that it was tracking, comparing and receiving data about patients, including protected health information, or PHI.

OCR Issues Guidance

While there haven't yet been enforcement actions from the Office for Civil Rights, it has issued guidance about tracking technologies in early December 2022. This guidance calls for education about tracking technologies, especially regarding when a breach may occur and when notifications must happen.

The guidance clarifies that individual, identifiable health information, or IIHI, collected on a regulated entity's website or mobile app generally is PHI, even if the individual doesn't have an existing relationship with the regulated entity and even if the IIHI - such as IP address or geographic location - doesn’t include specific treatment or billing information such as dates and types of healthcare services.

Qualifiers and Clarifications

The guidance also looks at what data can be collected on authenticated and unauthenticated web pages.

Tracking on User-Authenticated Web Pages

User-authenticated web pages require users to log in before accessing the web page, such as a patient or health plan beneficiary portal or a telehealth platform. PHI access generally occurs, so this information is probably PHI and should be protected.

Tracking on Unauthenticated Web Pages

Web pages that do not require users to log in before they access the web page, such as a web page containing general information about a regulated entity - such as location, services provided, or policies and procedures - generally don't access PHI.

Minimizing Risk in Your Organization

So, what can your healthcare organization do to minimize risk to patients, beneficiaries and the organization? Here are seven recommendations:

  1. Create an inventory of the tracking activity for websites and apps. Understand what's being collected, how it is being collected and where it may be going.
  2. Determine if the technology vendor you're working with - for example, Meta Pixel or Google - constitutes a business associate.
    • Many larger organizations, such as Facebook and Google, refuse to sign business associate agreements, referring to their policies or information about their security practices. But that's insufficient to satisfy regulatory obligations.
    • If tracking technologies are enabled and a business associate agreement is in place, data transmission to third parties is permissible.
  3. Conduct a breach assessment and provide any notification of reporting as required.
  4. Address tracking technologies in your risk analysis and your risk management processes.
  5. Ensure all disclosures of PHI to tracking technologies are specifically permitted by HIPAA rules.
  6. Get direct individual authorizations in cases where no business associate relationship exists or in the absence of a permitted use/disclosure.
  7. Train your staff about how to protect and secure patient information.

If you have questions about any of the above, contact our team at

About the Author

Andrew Mahler, Vice President of Privacy and Compliance, Clearwater

Andrew Mahler, Vice President of Privacy and Compliance, Clearwater

Vice President of Privacy and Compliance, Clearwater

Andrew Mahler is the Vice President of Privacy and Compliance Services at Clearwater and has supported diverse clients with privacy and compliance assessments, advisory support, and consulting, and in Interim Chief Privacy Officer roles. Before Clearwater, Andrew served as the Chief Privacy and Research Integrity Officer for the University of Arizona. He was responsible for implementing privacy and research compliance programs for colleges, departments, clinics, hospitals, and academic health sciences throughout Arizona. Andrew started his career in data privacy and information security with the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), where he investigated and managed cases related to HIPAA Privacy, Security, and Breach Notification Rule compliance, as well as cases related to civil rights laws. While at OCR, Andrew designed corrective action plans and resolution agreements, including the first resolution agreement resulting from a breach report required by the HITECH Act. Andrew is a licensed attorney and holds the CIPP/US, CHC, CHRC, and CHPC certifications. He has developed courses in healthcare law and data privacy and is a guest lecturer for other law and business courses in law, healthcare, and compliance. In addition, he has published and presented on topics including health law, data privacy and HIPAA, research compliance, and risk management.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.