Practice Management Alert

Discover your responsibilities in protecting patient internet use data.

Most websites collect data about their visitors through tracking technology, and healthcare providers’ websites are no exception. Website user data like this is often collected by third-party sources that analyze it to better understand visitors’ habits and produce more and better targeted advertisements. But this common practice can be a thorny issue to healthcare providers.

Keep reading to distinguish data tracking myths from reality.

Myth 1: Tracking Technology Doesn’t Exist in a Free Country Like the U.S.

Reality: Tracking technologies are codes or scripts embedded in websites or mobile apps that third parties use to collect and analyze data to understand the users’ online activities and are certainly present in the U.S. App developers also use tracking technology to gather mobile device information, such as the device ID or advertising ID. Third parties use the mobile device information to construct individual profiles for each app user.

Examples of tracking technologies include:

• Cookies
• Session replay scripts
• Fingerprinting scripts
• Web beacons or tracking pixels

Common tracking technology services include, but are not limited to:

• Meta/Facebook Pixel
• Google Analytics

Myth 2: Tracking Technology Exists Only for Ecommerce Websites

Reality: While you might expect this technology to exist on shopping websites and social media, many healthcare organization and hospital websites as well as health-related apps are built with the tracking technology.

In the April 2023 issue of Health Affairs, University of Pennsylvania researchers published their findings after surveying third-party tracking technology on hospital websites. Researchers evaluated 3,747 U.S. hospitals’ websites over a three-day period in 2021. The team used an open-source software tool, WebXray, to identify third-party tracking technology code and recorded data requests on the hospitals’ websites.

The researchers found that 98.6 percent of the hospitals had at least one tracking code type on their websites that transferred information to third parties. The study also showed that 94.3 percent of hospitals used at least one third-party cookie.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote Ari B. Friedman, MD, PhD, assistant professor of emergency medicine at the Perelman School of Medicine at the University of Pennsylvania in Philadelphia, Pennsylvania, and the other researchers.

Companies who have access to the data could use the information to generate targeted advertising that addresses each patient’s health conditions or concerns. The targeted ads could promote certain medications or treatments.

Myth 3: HIPAA Doesn’t Extend to Website Usage

Reality: In addition to the technology’s benefits, organizations must be aware of the potential risks associated with using the technology. One major risk is unauthorized disclosure of patients’ protected health information (PHI). In fact, the technology needs to be compliant with HIPAA regulations.

According to the Department of Health and Human Services (HHS), “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

Regulated entity definition: Regulated entities are better known as business associates regarding compliance. According to the HHS, a business associate is any person or organization that performs actions where they are required to use or disclose PHI “on behalf of, or [provide] services to, a covered entity.” Examples of business associates include pharmacies, medical coders, and consultants who perform use reviews for hospitals.

Releasing the patients’ PHI without their consent could lead to identity theft, data breaches, fraud, and scams.

“These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals,” Dr. Friedman wrote in the University of Pennsylvania study.

Myth 4: No One is Paying Attention to Tracking Safety

On July 20, 2023, the Federal Trade Commission (FTC) and the HHS Office for Civil Rights (OCR) issued a joint letter warning telehealth providers and hospital systems of tracking technology risks. The letter highlights privacy and security risks associated with using tracking technologies in websites and mobile apps.

The agencies listed the following items as sensitive information that could be impermissibly disclosed:

• Diagnoses
• Health conditions
• Medications
• Medical treatments
• Visit frequency

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, director of the OCR, in a press release.

Myth 5: Providers Don’t Need to Worry About Enforcement Actions

Reality: Healthcare organizations must remain vigilant to ensure the code in their websites or mobile apps remains HIPAA compliant — especially if the code contains tracking technology that transfers data to a third party. If that technology violates HIPAA compliance and shares PHI or ePHI with outside entities, then your organization and the third parties can face monetary and legal penalties.