Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites.
While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare providers who have to maintain patient privacy.
What Is Web Tracking?
Web tracking is all about monitoring what users are doing online. It’s a complex task that involves gathering and analyzing much information about users’ online behavior. This includes what pages they visit, how long they stay on each page, what they click on, what they search for, what kind of device they’re using, where they’re located, and where they came from.
The main goal of web tracking is to improve the online experience for users. Websites can offer personalized content, recommendations, and special deals by understanding what people like and how they behave.
In marketing and advertising, web tracking is a must-have tool. It helps advertisers create ads that are right on target with what users are interested in based on their interests, age, and online behavior. Advertisers can also see how many people click on ads and buy products to see how well their campaigns work. Plus, web tracking lets marketers focus on specific groups of users, making their marketing even more effective.
But web tracking, because it involves collecting personal data, can prove a massive problem for HIPAA compliance. This is particularly problematic for trackers enhancing the “user experience” by using protected data.
Types of Web Tracking
Web tracking methods are used to watch and understand what users are doing on websites. These smart tools help website owners determine what users like, improve their experience, and deliver the right content or ads. Here’s a rundown of common web tracking methods:
- Cookies: Cookies are small text files saved on a user’s device containing information about browsing history, likes, and interactions with a website. They’re used for personalizing content, logging in, and targeted advertising.
- Web Beacons (or Tracking Pixels): Tiny, see-through images put into web pages or emails that send information to a server when they’re loaded. They track how users interact with content, how often emails are opened, and how ads are viewed.
- URL Tracking Parameters: These are details added to URLs to track where traffic comes from and how users move through a site. They help measure how well advertising and referrals are working.
- Fingerprinting: This collects unique details about a user’s device, like the type of browser, screen size, and fonts installed. It’s used to identify and track users across different sessions and websites.
- Social Media Plug-ins: These are buttons or widgets from social media sites that are placed on web pages. They’re used to sharing social media content and seeing how users interact.
- Server Logs: Records kept by web servers that show user requests, like where they’re located, what device they’re using, and what pages they ask for. They’re used to looking at traffic patterns and finding problems.
- Third-party Analytics Tools: Tools like Google Analytics provide detailed tracking and analysis of user behavior. They’re used to learning about who’s visiting a site, what they’re doing, and what they like.
- Local Storage and Session Storage: These are ways for websites to store information in a user’s browser. They’re used to remember user preferences and information from one visit to the next.
These methods can be used independently or together to fully understand what users are doing. But they can also raise privacy concerns, so using them responsibly is important. That means being clear about what’s tracked, getting users’ permission when needed, and following all the relevant privacy laws and rules.
What Does HIPAA Say About These Tracking Methods?
In a recent announcement, the Department of Health and Human Services warned CEs and BAs that the tracking methods mentioned above are considerable problems for HIPAA compliance if not managed.
Fortunately, HHS provides clear guidelines for HIPAA-regulated entities and business associates using online tracking technologies.
The guidelines emphasize that tracking methods like cookies and web beacons, used to collect and analyze user interactions with websites or mobile apps, must follow HIPAA rules if the information gathered includes protected health information (PHI). The guidelines spell out the rules for tracking user-logged-in web pages, non-logged-in web pages, and mobile apps. They also detail HIPAA compliance duties, such as ensuring proper disclosures, setting up business associate agreements (BAAs), and implementing security measures.
Some steps that an organization can take include:
- Make Sure Disclosures Follow the Privacy Rule: Any sharing of PHI with tracking technology vendors must be allowed by the Privacy Rule. Only share the minimum PHI needed to achieve the goal.
- Set Up a Business Associate Agreement (BAA): If the tracking technology vendor is a “business associate,” a BAA must be in place. This agreement should outline the vendor’s allowed and required uses and sharing of PHI, security measures, and reporting requirements for security incidents and breaches.
- Follow Privacy Rule Permissions: If there’s no relevant Privacy Rule permission or the vendor isn’t a business associate, you’ll need HIPAA-compliant authorizations from individuals before sharing PHI with the vendor. There must be more than website banners asking users to accept or reject tracking technologies.
- Include Tracking Technologies in Risk Analysis and Management: You must consider tracking technologies in your Risk Analysis and Risk Management processes. This includes using administrative, physical, and technical safeguards in line with the Security Rule, like encrypting ePHI sent to the tracking technology vendor and using proper authentication and access controls.
- Provide Breach Notification: If there’s an unauthorized sharing of PHI with a tracking technology vendor that threatens the security or privacy of PHI, you must notify affected individuals, the Secretary, and the media (if needed).
- Don’t Share PHI Without a BAA: If you choose not to set up a business associate relationship with vendors or the tracking technology vendor won’t provide written assurances through a BAA, you can only share PHI with the vendors with individual authorizations.
- Comply with the Security Rule: This includes encrypting ePHI sent to the tracking technology vendor and using proper authentication, access, encryption, and audit controls when accessing ePHI kept in the tracking technology vendor’s system.
These steps highlight the importance of following the HIPAA Privacy, Security, and Breach Notification Rules. They ensure that all information sharing is allowed, proper agreements with vendors are in place, necessary safeguards are used, and the right notifications are made if there’s a breach.
Focus On HIPAA Security with Lazarus Alliance
When it comes to HIPAA, you’ll want a partner that can help you on your journey effectively, efficiently, and reliably. Our training, experience, and background make us the best choice to ensure that you’re getting the best partner and auditor you can for your ongoing compliance requirements.