HIPAA/HITECH , Standards, Regulations & Compliance , Video

Why Health Entities Must Scrutinize Use of Web Tracking Tech

Regulators are scrutinizing the use of website tracking codes and analytics such as Meta Pixel and Google Analytics. Health entities must carefully assess how those tools are being used on their health-related websites, say privacy attorneys Cory Brennan of Taft and Mark Swearingen of Hall Render.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The Department of Health and Human Services in guidance issued in December urged HIPAA-regulated entities to review how they're using these tracking tools, and the Federal Trade Commission has already fined at least two companies in cases involving these tracking technologies.

A recent study published in the journal Health Affairs found that third-party tracking tools are used on nearly 99% of hospital websites, transmitting data to technology giants, social media companies, advertising firms and data brokers.

But oftentimes, entities are unaware of how these tools are being used in their websites, the attorneys said.

"Sometimes Facebook Pixel is active on three of the five pages on a website. So it definitely varies," Brennan said in a video interview with Information Security Media Group.

Another factor is whether the technology tools were implemented by an internal marketing team or a third-party services provider. Also, staff turnover has likely occurred since the tracking tool was deployed, leaving healthcare firms clueless about what tools are running on their websites and exactly how they are functioning, she said.

"It could not be more important to be able to really get a full inventory and scope of those tracking technologies - and then also to start testing them - to see exactly what information is being tracked and transmitted through the use of those technologies," she said.

HHS has warned that covered entities using these tools on patient websites must sign a business associate agreement with the technology tracking vendors, but Swearingen said that many of the largest vendors will not sign (see: HHS: Web Trackers in Patient Portals Violate HIPAA).

"They do not want to be business associates, and so they won't sign those agreements," Swearingen said. "Entities like Google have come out and said specifically, with its analytics product, 'Don't send us protected health information. We don't want it, and we're not going to be a business associate.' When we're talking to clients who are dealing with this, our advice is they have to give strong consideration to turning these technologies off, or in some ways restricting what those technologies are capable of doing."

In this video interview with Information Security Media Group, Brennan and Swearingen also discuss:

• Regulatory compliance reviews and other potential enforcement activities involving the use of web tracking technologies by HIPAA-regulated entities;
• Challenges companies face when trying to identify and notify individuals affected by potential data privacy breaches involving the use of website tracking technologies;
• Other critical considerations concerning the use of website tracking tools.

Brennen, an attorney in Taft's Indianapolis office, focuses on matters relating to intellectual property, information technology, software licensing and procurement, advertising technologies and digital marketing solutions, information privacy and security, and data breach and incident response. She advises clients on a variety of data governance regulations, including HIPAA and the General Data Protection Regulation.

Swearingen, an attorney at Hall Render, has nearly 25 years of experience in the areas of health information privacy and security, with a focus on HIPAA compliance, data breach response, government investigations and audits.