Electronic Healthcare Records , Governance & Risk Management , Healthcare
Minimizing Privacy Risk From Web Tracking Technologies7 Tips to Reduce Risk to Patients, Beneficiaries and the Organization
As healthcare becomes increasingly interconnected, web tracking is easy to overlook but could introduce additional risks to patient privacy.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Officially known as "tracking cookies," these snippets of code are embedded on many websites and used to track and collect data on website visitors. This data helps organizations deliver better consumer experiences, define custom audiences and analyze website conversion.
In healthcare, tracking cookies offer similar benefits in helping organizations - whether covered entities or business associates - deliver custom patient experiences, which drive increased patient engagement, better outcomes and higher patient satisfaction.
But this technology can also put patient data at risk.
Patient Data at Risk
In 2022, The Markup, a nonprofit newsroom that investigates how large organizations use technology, took a close look at the websites on Newsweek's list of the top 100 hospitals in America.
The investigation uncovered that 33 hospitals had used a website tracking technology called Meta Pixel and unknowingly sent patient information to Facebook.
Even more shocking may be that at least seven hospitals also had this tracking technology installed in their patient portals. HIPAA specifies that covered entities can't share personal identifiable information, or PII, with third parties without written consent or unless it is part of a contractual agreement.
What makes this situation especially complex and troubling is that the healthcare organizations themselves may not have been aware that the Meta Pixel tool had been embedded in their website and/or that it was tracking, comparing and receiving data about patients, including protected health information, or PHI.
OCR Issues Guidance
While there haven't yet been enforcement actions from the Office for Civil Rights, it has issued guidance about tracking technologies in early December 2022. This guidance calls for education about tracking technologies, especially regarding when a breach may occur and when notifications must happen.
The guidance clarifies that individual, identifiable health information, or IIHI, collected on a regulated entity's website or mobile app generally is PHI, even if the individual doesn't have an existing relationship with the regulated entity and even if the IIHI - such as IP address or geographic location - doesn’t include specific treatment or billing information such as dates and types of healthcare services.
Qualifiers and Clarifications
The guidance also looks at what data can be collected on authenticated and unauthenticated web pages.
Tracking on User-Authenticated Web Pages
User-authenticated web pages require users to log in before accessing the web page, such as a patient or health plan beneficiary portal or a telehealth platform. PHI access generally occurs, so this information is probably PHI and should be protected.
Tracking on Unauthenticated Web Pages
Web pages that do not require users to log in before they access the web page, such as a web page containing general information about a regulated entity - such as location, services provided, or policies and procedures - generally don't access PHI.
Minimizing Risk in Your Organization
So, what can your healthcare organization do to minimize risk to patients, beneficiaries and the organization? Here are seven recommendations:
- Create an inventory of the tracking activity for websites and apps. Understand what's being collected, how it is being collected and where it may be going.
- Determine if the technology vendor you're working with - for example, Meta Pixel or Google - constitutes a business associate.
- Many larger organizations, such as Facebook and Google, refuse to sign business associate agreements, referring to their policies or information about their security practices. But that's insufficient to satisfy regulatory obligations.
- If tracking technologies are enabled and a business associate agreement is in place, data transmission to third parties is permissible.
- Conduct a breach assessment and provide any notification of reporting as required.
- Address tracking technologies in your risk analysis and your risk management processes.
- Ensure all disclosures of PHI to tracking technologies are specifically permitted by HIPAA rules.
- Get direct individual authorizations in cases where no business associate relationship exists or in the absence of a permitted use/disclosure.
- Train your staff about how to protect and secure patient information.
If you have questions about any of the above, contact our team at email@example.com.