HHS: Web Trackers in Patient Portals Violate HIPAAFeds Warn Impermissible Disclosures of Patient Health Data Are Prohibited
Federal regulators warned healthcare entities over commercial web traffic trackers embedded into patient portals, saying their use may violate patient privacy law.
See Also: Why Metadata Isn't Enough
A Department of Health and Human Services bulletin issued Thursday says entities covered by HIPAA can't use the trackers if they transmit protected health information without patient consent or if they don't have a signed a business associate agreement with the technology tracking vendors. Violations of HIPAA are punishable by fines, and in rare cases, by criminal prosecution.
The warning from the department's Office of Civil Rights comes months after revelations that medical providers have used free web user tracking code offered by Facebook and Google in websites frequented by patients. Facebook parent Meta faces a proposed class action alleging it violated privacy law by collecting patient information via its Pixel tracker, including data on doctors, conditions and appointments (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).
At least three major healthcare organizations in recent weeks have treated their previous use of web tracking code as a reportable data breach. Community Health Network, Advocate Aurora Health and WakeMed Health and Hospitals have said they've discontinued the use of the tracking codes in their websites and portals.
"Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients' health information when using tracking technologies,” said HHS OCR Director Melanie Fontes Rainer in a statement.
Rules for Website Trackers
The bulletin specifies that trackers embedded into login pages such as a patient or health plan beneficiary portal or a telehealth platform are particularly susceptible to transmitting protected health information if they contain trackers. Tracking technologies on those webpages generally have access to PHI, which could include an individual's IP address, medical record number, home or email addresses, dates of appointments, diagnosis, treatment or other information, HHS says.
Those sites should be configured to ensure that any data disclosure to third parties such as Facebook and Google is made with patient consent and that the information is "protected and secured in accordance with the HIPAA Security Rule."
Medical caregiver websites that don't require users to login are another matter, HHS says. Those webpages typically do not have access to protected health information - and if they don't, then HIPAA rules about privacy and security don’t apply, but there are exceptions, HHS warns.
Tracking code on an unauthenticated webpage that addresses specific symptoms or health conditions, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances.
Rules for Mobile Apps
Mobile apps that regulated entities offer to individuals - such as apps to help manage health information or pay bills - can collect information, ranging from fingerprints, network location, geolocation, and device ID.
All of that is protected health information, meaning that any disclosures to the app vendor or to third parties through tracking code is covered by HIPAA, HHS says.
Regulations don't apply to information that users voluntarily download or enter into mobile apps not developed or offered by or on behalf of regulated entities.
Tracking technologies have the ability to consume and manage a significant amount of information about an individual, says attorney Andrew Mahler, vice president of privacy and compliance at security consultancy CynergisTek.
"If not implemented appropriately and thoughtfully, an organization using tracking technologies places the privacy of its patients, members, and consumers at risk."
The bottom line is that healthcare entities' websites, patient portals and mobile apps "should have express consents that the patients need to click on if they want to permit tracking; include full disclosures of what the information will be used for, including being sold or utilized by a third party; and give the patient the option to opt out of having their information collected," regulatory attorney Rachel Rose tells Information Security Media Group.