HHS: Web Trackers in Patient Portals Violate HIPAA

December 2, 2022 CynergisTek, Inc.

HHS warns that the use of tracking code in many healthcare websites and portals could be violating HIPAA privacy regulations.

Federal regulators warned healthcare entities over commercial web traffic trackers embedded into patient portals, saying their use may violate patient privacy law.

A Department of Health and Human Services bulletin issued Thursday says entities covered by HIPAA can't use the trackers if they transmit protected health information without patient consent or if they don't have a signed a business associate agreement with the technology tracking vendors. Violations of HIPAA are punishable by fines, and in rare cases, by criminal prosecution.

The warning from the department's Office of Civil Rights comes months after revelations that medical providers have used free web user tracking code offered by Facebook and Google in websites frequented by patients. Facebook parent Meta faces a proposed class action alleging it violated privacy law by collecting patient information via its Pixel tracker, including data on doctors, conditions and appointments (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).

At least three major healthcare organizations in recent weeks have treated their previous use of web tracking code as a reportable data breach. Community Health NetworkAdvocate Aurora Health and WakeMed Health and Hospitals have said they've discontinued the use of the tracking codes in their websites and portals.

"Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients' health information when using tracking technologies,” said HHS OCR Director Melanie Fontes Rainer in a statement.

Continue reading here.

About the Author

CynergisTek, Inc.

CynergisTek is a top-ranked cybersecurity consulting firm dedicated to serving the information assurance needs of healthcare. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. The company has been recognized by KLAS in the 2016 and 2018 Cybersecurity reports as a top performing firm in healthcare cybersecurity, as well as the 2017 Best in KLAS winner for Cybersecurity Advisory Services.

Follow on Twitter Follow on Linkedin Visit Website More Content by CynergisTek, Inc.
Previous Article
OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance
OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance

Andrew Mahler discusses recent OCR bulletin outlining how organizations using tracking tech like Meta Pixel...

Next Article
New Healthcare Privacy Challenges as Online Data Tracking, Sharing Methods Evolve
New Healthcare Privacy Challenges as Online Data Tracking, Sharing Methods Evolve

Andrew Mahler, former OCR investigator shares his expertise on new privacy laws and challenges and best pra...