Online Tracking Tools in Healthcare

In December 2022, HHS issued guidance stating that covered entities may not use tracking technologies (like the Meta/Facebook pixel feature) in a way that would result in a prohibited disclosure of PHI to third-party analytics and social media companies. According to the guidance, patient authorization is required for these disclosures.

On December 27, 2023, New York Attorney General Letitia James, after bringing an enforcement action, entered into a $300,000 settlement agreement with New York Presbyterian Hospital (NYPH) for the hospital’s failure to follow the guidance. The AG found that the hospital violated HIPAA by using advertising tools on its website that collected and shared PHI with third-party tech companies. The sharing took place as visitors used the website to search for doctors or book appointments. These visitors were unaware of the sharing.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. NewYork-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients’ information.”

The settlement is the first HIPAA settlement, state or federal, over a CE’s using advertising tools on its website that collected and impermissibly shared PHI with third-party tech companies.

It can be expected that other states will be bringing similar enforcement actions. Providers should therefore ensure that they “monitor the tools they use to monitor.”

How to Ensure HIPAA Compliant Online Tracking

Providers should be mindful of avoiding common pitfalls when using online tracking technologies. Providers must ensure that all disclosures of PHI to an online tracking technology are permitted by the Privacy Rule, and, unless an exception applies, must also ensure that only the minimum necessary protected health information (PHI) to achieve the intended purpose is disclosed. 

If a provider seeks to disclose PHI to a tracking technology vendor, that vendor must sign a business associate agreement. HIPAA must specifically permit any disclosure of PHI under the agreement. If the vendor is not a business associate, the provider must obtain an individual’s written authorization before disclosure of PHI to the vendor.  

Finally, providers should address the use of tracking technologies in their risk analyses and risk remediation processes. Providers should also implement appropriate administrative, physical, and technical safeguards, (such as encryption, access controls, authentication controls, and audit controls), when they access ePHI stored in the tracking technology vendor’s infrastructure. These controls ensure that ePHI is protected from unauthorized access