Are There Tracking Technologies on Your Practice Website that Violate HIPAA?

Share

Tweet

Share

Share

Email

Comments

Ensuring that your practice website doesn’t result in a HIPAA violation

By Peter J. Cass, OD

May 29, 2024

A HIPAA violation in your office may come from an unexpected source–your practice website.

Here are points to consider, and actions to take, to determine if your practice website uses tracking technologies that violate HIPAA.

How Do Website Tracking Technologies Work?

Tracking technologies typically involve the use of scripts or code (like cookies and web beacons) that gather information about users as they interact with the website or mobile app.

As of 2023, the U.S. Department of Health and Human Services (HHS) now considers that HIPAA privacy and security policies apply if an individual, whether your patient or not, accesses your website and tracking technologies collect almost any information about them, even something as simple as the geographic location of the individual.

While such tracking actions are not illegal, invoking HIPAA oversight means the transmission of data between your website and the patient now must comply with all HIPAA security standards – most importantly a secured (encrypted) transmission.

Recommended Actions

This can all get very technical, and may require some investigation on your part, such as consulting with an IT professional. The effort to look into your practice website’s tracking technologies to find out if there are any needed changes, and then implement those changes, is well worth it. One HIPAA non-compliant website tracking violation already settled for $18 million.

Here are key steps to take to avoid having a website that is inadvertently in violation:

Investigate & Document Use of Tracking Technologies on Your Website & Social Media Platforms

This will likely require consultation with your IT consultants, website developers and marketing consultants. You will ultimately need to determine if the tracking technologies fall under the new HIPAA standards.

Determine What Your Site’s Tracking Technologies Are Used for

Specifically, determine if tracking technologies are used to collect information that is used for marketing purposes which would require unique patient authorization.

Tracking technology use will need to be addressed in your security risk assessment and management plan.

Obtain Patient Authorization & Notify

Obtain patient authorization for the use of tracking technologies with an opt-out option. My firm, Practice Compliance Solutions (PCS), is assisting clients in a system to accomplish this.

Despite the direct statement that patient notification of tracking technology use through banners or pop-up notices does not eliminate the requirements under HIPAA security, the use of such patient notifications is advised.

Look Into Your EHR’s Agreements with Tracking Technology Companies

Make sure you have business associate agreements with tracking technology companies. Most of these companies are being used by your website or EHR vendor, not you directly, In that case, make sure you advise your vendors of the need for subcontractor agreements.

Get Extra Help

The Office of Civil Rights’ (OCR) expansive view of protected health information (PHI), as noted in the new regulations, along with a technology level most are unfamiliar with, may make it difficult to ascertain specific HIPAA compliance obligations when undertaking any of the above-listed measures.

Consulting with an IT security or healthcare compliance firm can provide you with the oversight and reassurance you need to know your practice website is not setting you up to be cited for a violation and to pay a hefty fine or settlement.

Peter J. Cass, OD, is a partner in Practice Compliance Solutions, a faculty member for the University of Houston College of Optometry, an associate at MyEyeDr. Beaumont and past-president of the Texas Optometric Association. To contact: peter@PCScomply.com