As healthcare becomes increasingly interconnected through technologies, there is one common tech element many organizations may overlook-and it could introduce additional risks to patient privacy.
While it’s something you likely use or experience every day. You might not even realize it -website tracking technologies.
Officially known as “tracking cookies,” these snippets of code are embedded on many websites. They’re used to track and collect data on website visitors, usually with the intent of better understanding who is using a website, what for, and some general demographic and other information.
It’s a tool marketers love because it offers valuable insight to help them better connect to customers and deliver exactly what they want. It helps businesses define custom audiences and analyze website conversion funnel effectiveness.
In healthcare, tracking cookies offer similar benefits in helping healthcare organizations-whether covered entities or business associates-deliver a most custom patient experience, driving higher patient engagement, better outcomes, and higher patient satisfaction.
While these website tracking technologies offer many benefits, they can also put patient data at risk, especially if you’re unclear about what’s being collected, by whom, and how it’s being used.
Keeping a Watchful Eye on Patient Data
In 2022, The Markup, a nonprofit newsroom that investigates how large organizations use technology to affect change in society, took a close look at the websites of Newsweek’s Top 100 hospitals in America.
The investigation uncovered that of those 100 hospitals, 33 were using a website tracking technology called Meta Pixel. With the tracker installed on their websites, hospitals unknowingly sent patient information to Facebook, for example, when website visitors used web-based functions like appointment scheduling.
- What’s Meta Pixel?
- A snippet of code that allows organizations to track website user activities.
- What are some examples of information Meta Pixel can collect?
- IP Addresses
- Dates, times, locations of scheduled appointments
- Patient’s proximity to a location
- Information about a patient’s providers
- Types of appointments and procedures
- Communications between patients and others through a patient portal
- First and last names
- Medical record numbers
- Insurance information
- Proxy patient portal account information
Organizations can also create custom values and web forms for patients to enter specific information about themselves (for example, email addresses, names, etc.), which can be collected and sent back to Facebook.
The Markup discovered that through the tracking technologies these hospitals used, Facebook received personally identifiable patient information. In some cases, for example, an IP address is linked to information submitted through the website, such as a physician’s name and patient condition.
Even more shocking may be that at least seven hospitals also had this tracking technology installed in their patient portals. Because HIPAA specifies that covered entities can’t share personally identifiable information (PII) with third parties without written consent or part of contractual agreements, then it’s likely there may have been HIPAA violations caused by the tracking cooking.
In one instance, one hospital had to notify 3 million patients. Several other organizations have sent notifications out to more than a million patients. A few have even been named in lawsuits, including at least one class-action lawsuit.
In a recent article by HealthcareIT News covering one of these lawsuits, former HHS investigator and Clearwater’s VP of Privacy and Compliance, Andrew Mahler, explained, “What makes this situation especially complex and troubling is that the healthcare organizations themselves may not have been aware that the Meta Pixel Tool had been embedded in its website and/or that it was tracking, comparing and receiving data about patients, including PHI (protected health information). This underscores the importance of performing thorough risk analyses, proper training and education, as well as independent third-party reviews of policies, processes, and systems to highlight potential gaps and risks.”
OCR Responds to Tracking Technologies
While there haven’t yet been enforcement actions from the Office for Civil Rights (OCR), OCR issued guidance about tracking technologies in early December 2022. This guidance calls for education about tracking technologies, especially regarding when a breach may occur and when notifications must happen.
The guidance clarifies that individual, identifiable health information (IIHI) collected on a regulated entity’s website or mobile app generally is PHI, even if the individual doesn’t have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, doesn’t include specific treatment or billing information like dates and types of healthcare services.
While this might be a broad stroke regarding PHI, it’s important to note that OCR is bringing attention to the potential risk that tracking cookies create. Ultimately, it shifts the burden of determining if collected information is or is not PHI to the healthcare organization or business associate.
The guidance goes on to say: “When a regulated entity collects = IIHI through its website or mobile app, the information connects the individual to that entity (i.e., it is indicative that the individual has received or will receive healthcare services or benefits from that covered entity,) and thus it relates to the past, present, or future healthcare or payment for care.”
Qualifiers and Clarifications
The guidance also looks at what data can be collected on authenticated and unauthenticated web pages.
- Tracking on user-authenticated web pages
- User-authenticated web pages require users to log in before accessing the web page, such as a patient or health plan beneficiary portal or a telehealth platform.
- PHI access generally occurs when a patient logs into their patient portal using credentials. They’re also likely to communicate with their provider or others about care. That information is probably PHI and should be protected.
- Tracking on unauthenticated webpages
- Web pages that do not require users to log in before they access the webpage, such as a web page with general information about a regulated entity, such as location, services provided, or policies and procedures.
- These pages generally don’t access PHI.
And while these technologies are often associated with websites, they’re in mobile apps too-even wearables and other devices.
Mobile apps offered to individuals (e.g. to help manage their health information, pay bills) collect a variety of information provided by the user, including information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints and biometric data, as well a network location, geolocation, device ID, and advertising ID. These apps may have access to PHI.
A good reminder here is that whether you’re looking at patient risks through the lens of a website, app, or device, the key is to think about the scope of the data collected and make sure to add them to your routine risk analysis.
Minimizing Risk from Tracking Technologies
So, what can your healthcare organization do to minimize risk to patients, beneficiaries, and the organization? Here are six recommendations:
- Have an inventory of the tracking activity for websites and apps. Understand what’s being collected, how it’s being collected, and where it may go outside your organization.
- Determine if the technology vendor you’re working with, for example, Meta Pixel or Google, constitutes a business associate.
- If yes, ask do we have a business associate agreement in place or can you get one in place? Many larger organizations like Facebook and Google refuse to sign these agreements and generally will instead refer to their policies or information about their security practices. However, that’s insufficient to satisfy a business associate relationship or regulatory obligations.
- You may find some tracking technologies enabled and have business associate agreements in place, so the transmission of data to third parties is permissible.
- Conduct a breach assessment and provide any notification of reporting as required.
- Address tracking technologies in your risk analysis and your risk management processes, and as part of that, be sure to implement different types of controls and safeguards to mitigate and manage that risk.
- Ensure all disclosures of PHI to tracking technologies are specifically permitted by HIPAA rules.
- Minimize all disclosures of PHI to tracking tech to what is necessary to achieve intended purpose.
- Get direct individual authorizations in cases where no business associate relationship exists or in the absence of a permitted use/disclosure.
- Train your staff about how protect and secure patient information. This means information about PHI, including the types of identifiers about patients, their relatives, employers or household members, that could be used to identify patients.
What to Do in Case of a Breach?
Finally, because this gets a lot of OCR attention, consider your plans if you experience a breach. Here are four tips to consider:
- Don’t panic. Follow your incident response process. Bring together all of your key stakeholders. Set up calls and meetings to talk through the issue. Make sure everybody’s on the same page and that all agree about the next steps. Do this methodically, carefully, and thoughtfully to avoid gaps from moving too quickly.
- Assess an incident addressing five key areas:
- Nature and extent of the PHI involved
- Likelihood of re-identification
- The unauthorized person who used or received the PHI
- Whether the PHI was acquired or viewed
- Extent of risk mitigation
- Presume there has been a breach of unsecured PHI unless the regulated entity can demonstrate a low probability of attackers compromising PHI.
- Make notification to affected individuals no later than 60 calendar days after breach discovery.
- A breach is considered discovered on the first day it’s known to the covered entity or, by exercising reasonable diligence, would have been known.
- The covered entity must provide substitute notice for any person for whom adequate contact info exists.