Many healthcare marketers use online tracking technologies to gather user information as they interact with a website or mobile application. After several breaches tied to improper uses of third-party tracking pixels, the Department of Health and Human Services has clarified that data collected via online tracking technologies are often PHI and must be secured according to the Privacy Rule. This decision has put many organizations at a crossroads- how can they balance patient privacy with the financial pressures to grow their business and provide a superior digital experience?
What are Online Tracking Technologies?
Tracking technologies collect information about website visitors in various ways, many of which are invisible to the user. Some of the most common types of tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps also include tracking codes within the application to enable the collection of user information.
After collecting the information, it is analyzed to create insights about users’ online activities. Marketers often use the data to create highly targeted advertising campaigns. In the case of third-party tracking technologies, they may continue to track users and gather information about them even after they leave and visit other websites. You’ve likely experienced this when online shopping. You look at a pair of shoes on a retailer’s website, and then they continue to follow you and appear as ads as you browse other websites and social media platforms. However, if you replace ads about shoes with advertisements for treatments for an individual’s medical conditions, this raises serious patient privacy concerns.
What Does HIPAA Say About Online Tracking Technologies & Data Collection?
Online tracking technologies have been widely utilized for over a decade but have only recently been considered in the context of health data privacy. The Dobbs vs. Jackson Women’s Health Organization decision by the Supreme Court in June 2022 kicked off a wave of reporting on how reproductive health information was collected and sold online. Some worried that this information could be used in court cases to convict people who sought abortions, leading to significant concerns over digital health data privacy.
In this context, researchers began looking at the websites of major health systems to explore how they used trackers to collect and transmit data. A study revealed that 99% of US hospitals employed online data trackers that transmitted visitors’ information to a broad network of outside parties, including major technology companies, data brokers, and private equity firms. Some hospitals even employed these trackers on internal patient portal web pages, potentially exposing highly sensitive patient data to advertisers.
As a result of the confusion surrounding this issue and the seemingly clear violation of HIPAA rules, OCR issued a bulletin explaining how covered entities can and cannot use tracking technologies on their websites.
You would think that is the end of the story. However, there is still a lot of confusion surrounding the proper use of these technologies. In July 2023, the FTC and OCR issued another warning to 130 hospital systems that continued deploying online tracking technologies despite the bulletin.
Gray areas still exist in how the bulletin is interpreted. The American Hospital Association recently asked OCR to reconsider its guidance, stating it contradicts interoperability efforts. As this situation evolves, healthcare providers must be aware of the risks of online tracking technologies and how they can balance risk with their business objectives.
How is this Data Protected Health Information?
One of the reasons this issue flew under the radar for so long is that it is not necessarily obvious that the information collected by these pixels qualifies as PHI. It may not be evident to end-users, but tracking technology vendors can infer a lot of personal data through tracking technologies placed on a healthcare provider’s website. Some of the information that can be captured by tracking technology could include:
- medical record numbers
- email addresses
- appointment dates or requests
- IP addresses
- medical device IDs
- geographic locations
Marketers may not realize that individually identifiable information collected on a covered entity’s website or mobile app is often protected health information (PHI). Even if the individual has no pre-existing relationship with the healthcare provider, DHHS’s recent update is clear that this information is protected. Collecting this information establishes a relationship between a covered entity and an individual relating to their past, present, or future provisioning of health care. A visit to a healthcare provider’s website may be the first step taken by a future patient in accessing healthcare treatment.
There is always some gray area when defining PHI, but it’s better to be safe than sorry in this case. If you are using any online tracking technology, you must confirm that it is processing and transmitting data in a way that aligns with HIPAA regulations.
How Healthcare Marketers Can Protect Patient Privacy
First of all, if you plan to use tracking technology on your website, the vendor needs to be a business associate of your organization. In these circumstances, covered entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) that outlines how PHI will be protected.
Think carefully about what data needs to be collected and why. In other industries, collecting user data and selling it to third parties or using it in advertising efforts is very common. Healthcare marketers must be more intentional in using online tracking technologies and take additional steps to ensure the data is processed and transmitted securely. Do not install tracking pixels without careful consideration. As many hospital systems learned, failing to do so can have profound privacy and compliance implications.
If you want to follow up with patients who browsed your website for available appointments, you must ensure their data is secure from when it is collected through the transmission to other systems. For example, a patient may enter their name, email address, phone number, and desired appointment time into an online form. When they click “Submit,” where and how is this data transmitted and stored? As they browse the available appointments and doctors, your system may log which web pages they visit and store them in a CRM, CDP, or another platform. If they leave without making an appointment, what do you do with the data you collect? If you transmit this data to other advertising or marketing platforms, you will also need business associate agreements with those vendors. As you can see, it can get complicated very quickly.
HIPAA-Compliant Marketing Technology
LuxSci’s Secure Form and Secure Marketing technologies offer a few ways to address the patient privacy issues associated with online data collection and transmission. Our fully HIPAA-compliant solutions enable you to securely collect data on your website and use secure email to engage prospects. Contact our sales team to learn more today.