website tracking
Practice Compliance

HHS Warning About Website Tracking: What It Means for Your Practice

David Bibbey, Dipl. Ac., LAc  |  DIGITAL EXCLUSIVE
WHAT YOU NEED TO KNOW
  • Your practice website or website hosting service likely uses tracking technologies that automatically collect and share traffic data and personal information with third parties.
  • This is a HIPAA violation because data tracking on websites often captures protected health information (PHI).
  • If you allow tracking technologies on your website, you have an obligation – a "duty to act" – that assures PHI is not shared or misused under the HIPAA rules.

Editor's Note: This is the latest in an ongoing series devoted to assisting acupuncture practitioners in understanding and complying with different aspects of the Health Insurance Portability and Accountability Act (HIPAA). The first article appeared in the February 2022 issue.


In December 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under HIPAA. The OCR Bulletin follows a significant increase in lawsuits and complaints about tracking technologies being embedded in healthcare providers websites and portals.

Before digging into the OCR bulletin, let's review protected health information (PHI): The HIPAA rules apply to "protected health information" (PHI) which generally includes individually identifiable health information. That is, health information that relates to the individual's past, present, or future health, health care, or payment for care, including their name, address, email, IP address, and demographic information. See full list at 45 CFR 160.103.

Tracking Technologies and Their Uses

Online tracking technology means "software or code on a website, plug-in or mobile app used to gather information about users as they interact with the website or mobile app." Examples of these tracking technologies on websites include cookies, fingerprinting, web beacons, or tracking pixels. Plug-ins and websites may use tracking technologies such as tracking codes, as well as capture device-related information. The HHS bulletin notes:

"For example, websites and mobile apps may use a unique identifier from the user's mobile device, such as a device ID or advertising ID. These unique identifiers, along with any other information collected by the website or app, enables the website owner, third-party vendor or any other entity who receives such information to create individual profiles about each app user."

Tracking technologies are embedded in websites and all kinds of plug-ins. These software tools collect visitors' valuable personal data to use or sell to marketing and research companies. This is a very common practice used by the biggest names in tech, as well as lots of companies flying under the radar.

Here's Why Tracking Technologies Trigger HIPAA

Health care providers' website or website hosting service (like GoDaddy, Web.com, SquareSpace, Hostinger, DreamHost, BlueHost, and Ionos) likely uses tracking technologies that automatically collect and share traffic data and personal information with third parties. This is not permitted under HIPAA. The OCR bulletin states:

"All such information collected on a healthcare provider's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the data collected, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services."

So, according to the OCR, individuals with or without an existing patient relationship with the health care provider could be sharing PHI with the provider (or a third party) through its website tracking technologies. This information might include an individual's medical history, home or email address, dates of appointments, as well as an individual's IP address or geographic location, etc.

Why It Matters to Acupuncturists

Acupuncturists need to be aware that this is a HIPAA violation because data tracking on websites often captures PHI. Sites that address specific symptoms or health conditions, or that permit a visitor to search for a provider or schedule an appointment, may qualify as PHI if, for example, the visitor's email address or IP address is also captured.

HIPAA Obligations When Using Tracking Technologies

The OCR bulletin reminds health care providers that when they allow tracking technologies on their websites, they have an obligation – a "duty to act" – that assures PHI is not shared or misused under the HIPAA rules. Here is a summary of some key obligations:

  • Investigate whether your website collects PHI. As noted above, do not assume that because the site just advertises services that it is not collecting PHI.
  • Ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by under the HIPAA Privacy Rule and that unless an exception applies, only the minimum necessary PHI to achieve an intended purpose is disclosed.
  • Remember that if a disclosure of PHI requires an authorization under HIPAA, website privacy policies and website banners that ask users to accept or reject the use of tracking activities will not likely constitute valid authorization to collect or share PHI.
  • If a tracking technology vendor is creating, receiving, maintaining, or transmitting PHI on behalf of a health care provider, it will likely be considered a business associate. In that case, a business associate agreement will have to be signed.
  • Identify any existing website tracking technologies in the clinic's security risk analysis and risk management processes, and implement safeguards in accordance with the HIPAA security regulations.
  • Provide breach notifications to affected individuals and the OCR if impermissible disclosures of PHI occur via tracking technology.

What Can You Do? Next Steps

Don't feel alone if you are confused or uncertain about how to comply with the steps listed above. Health care providers usually depend on IT and data security consultants to help with compliance.

Work with your website developer or a trusted IT and data security professional to determine if tracking technologies are embedded anywhere your website. Consider migrating your website to a secure server to ensure visitors personal information is not being collected while navigating on your website.

If any of your website vendors are using tracking software on your website, then determine what, if any, ePHI is being collected or shared. Ensuring a business associate agreement is in place also will help to avoid potential impermissible disclosures of patients' private health information.


Author's Note: For more information related to this article, please visit www.patientdataprotection.com or call Matthew Fiorenza, compliance and security specialist, at 352-268-5088, ext. 4.

April 2023
print pdf