How Online Tracking Technologies Threaten Patient Privacy

Many healthcare marketers use online tracking technologies to gather information from users as they interact with a website or mobile application. After several breaches tied to improper uses of third-party tracking pixels, the Department of Health and Human Services has clarified that data collected via online tracking technologies are often PHI and must be secured according to the Privacy Rule.

What are Online Tracking Technologies?

Tracking technologies collect information about website visitors in various ways, many of which are invisible to the user. Some of the most common types of tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps also include tracking codes within the application to enable the collection of user information.

After collecting the information, it is analyzed to create insights about users’ online activities. Marketers often use the data to create advertising campaigns. In the case of third-party tracking technologies, they may continue to track users and gather information about them even after they leave and visit other websites. As you can imagine, this raises serious patient privacy concerns.

How is this Data Protected Health Information?

It may not be obvious to users, but tracking technology vendors can access a lot of personal data through tracking technologies placed on a healthcare provider’s website. Some of the information that can be captured by tracking technology could include:

• medical record numbers
• email addresses
• appointment dates or requests
• IP addresses
• medical device IDs
• geographic locations

Marketers may not realize that individually identifiable information collected on a covered entity’s website or mobile app is often protected health information (PHI). Even if the individual has no pre-existing relationship with the healthcare provider, DHHS’s recent update is clear that this information is protected. Collecting this information establishes a relationship between a covered entity and an individual relating to their past, present, or future provisioning of health care. 

There is always some gray area when it comes to defining PHI, but in this case, it’s better to be safe than sorry. If you are using any online tracking technology, you must confirm that it is processing and transmitting data in a way that aligns with HIPAA regulations. 

How Healthcare Marketers Can Protect Patient Privacy

First of all, if you plan to use tracking technology on your website, the vendor needs to be a business associate of your organization. In these circumstances, covered entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) that outlines how PHI will be protected.

Think carefully about what data needs to be collected and why. In other industries, collecting user data and selling it to third parties or using it in advertising efforts is very common. Healthcare marketers must be more intentional in using online tracking technologies and take additional steps to ensure the data is processed and transmitted securely. Do not install tracking pixels without careful consideration. As many hospital systems learned last winter, failing to do so can have profound privacy and compliance implications. 

If you want to follow up with patients who browsed your website for available appointments, you must ensure their data is secure from when it is collected through transmission to other systems. For example, a patient may enter their name, email address, phone number, and desired appointment time into an online form. When they click “Submit,” where and how is this data transmitted and stored? As they browse the available appointments and doctors, your system may log which web pages they visit and store them in a CRM, CDP, or another platform. If they leave without making an appointment, what do you do with the data you collect? If you transmit this data to other advertising or marketing platforms, you will also need business associate agreements with those vendors. As you can see, it can get complicated very quickly. 

HIPAA-Compliant Marketing Technology

LuxSci’s Secure Form and Secure Marketing technologies offer a few ways to address the patient privacy issues associated with online data collection and transmission. Our fully HIPAA-compliant solutions enable you to securely collect data on your website and use email to engage prospects. Contact our sales team to learn more today.