Does my Website Need to be HIPAA Compliant?

If you are a healthcare provider or an organization that provides services to healthcare providers, you probably have a website. Your website probably uses trackers to monitor traffic and what people are doing on the site. Your trackers might tell you that I visited your website to read about the new services being provided at the outpatient center you opened near my house, that I clicked to see what doctors have offices there, and that I read your diabetes management blog post. Even though I never made an appointment or may not have an existing relationship with you, did you just acquire Protected Health Information (PHI)? If tracking technology is used to monitor my activities on your website, did you just experience a breach of PHI and a HIPAA violation? 

According to a bulletin issued by the Office of Civil Rights of the Department of Health and Human Services in December 2022, possibly.

Traditionally, most of us would have assumed that if you were on an unauthenticated website that does not require you to log in, your browsing tracking and history would not have been PHI. But the bulletin specifically states:

Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a healthcare provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.

So, in the example above did my browsing of the website to learn about diabetes management suddenly mean you now have PHI about me? That would appear to be what the OCR is saying.

This creates a lot of questions. In the example above I read about an organization’s diabetes management. The OCR would seem to be saying that since it’s a health condition that would imply that if your website uses trackers to monitor my activity you now have PHI. This would appear to apply even if I was searching for information about a medical condition I don’t actually have.

Your website privacy practices page probably discloses that you use trackers for marketing purposes, but the OCR clearly stated that will not meet the requirements.

The OCR guidance indicates that they believe any organization using a vendor to perform the tracking of activity within your website should have a Business Associate Agreement (BAA) with that vendor. That means that if you use any tracking technologies that you don’t fully control you need a BAA with the provider. That raises many questions your organization needs to answer, including:

• Do you have a BAA with Meta if you have a Facebook link on your website?
• If you use Google’s tracking or any other vendor, do you have a BAA with them?
• Do you really know what trackers you have?

Often organizations have multiple trackers installed, including some they don’t use, but because they were free they never bothered to turn them off.  

If you don’t have BAAs in place, then it becomes your responsibility to provide a HIPAA-compliant notice to people accessing your website. In other words, you are responsible for giving them the information in your Notice of Privacy Practices about marketing as they access the website.  

What about Authenticated Websites?

Authenticated websites are sites that require users to log in. With authenticated websites, it’s probable that users have already received or will receive electronically your Notice of Privacy Practices which explains how you could use their PHI including for marketing purposes. However, that would not relieve you from the responsibility of ensuring that you only shared that PHI in compliance with the HIPAA regulations, which means obtaining BAAs if your website tracking shares data with a third party. 

How to Address HIPAA Website Tracker Requirements

1.) Determine what is currently happening. Do a detailed review of the website to determine what tracking is currently happening. This will require going through the entire website, not just the home page or the most visited pages, and making sure you know where all your trackers are and whom they are sharing data with.  Make sure you include ALL websites.

2.) Once you have the information on what you are using for tracking, determine if you had a BAA in place with those vendors. Note that the OCR specifically indicates that even if that vendor says it deidentified the data after it was received, you would still need the BAA as you sent identified data.    

3.) Develop a remediation plan.

• If you don’t have a BAA, get one!
• If you can’t get a BAA, disable those trackers!
• Perform a breach assessment. Yes, you read that right. You have had what the OCR would consider a breach. You have provided PHI to a third party without that BAA in place. You need to assess what was disclosed and what was done with that PHI. CompliancePoint would also recommend that you assess the risk of failure to comply with any relevant state privacy regulations regarding the use of personal data.

4.) Implement controls to make sure changes to your websites are monitored to prevent the introduction of unapproved trackers. CompliancePoint recommends that you review the website in detail at least annually to make sure nothing has changed that should be addressed.

What is the Risk?

This risk has obviously come to the attention of OCR as evidenced by the recently issued bulletin.  Additionally, healthcare providers are beginning to report their assessment of breaches resulting from providing this tracking data which will only raise the focus on this risk. On March 20,2023, New York Presbyterian Hospital reported a breach of over 54,000 individuals related to website tracking.  

This risk is being actively evaluated by attorneys and others for potential violations. A report published by The Markup evaluated the websites of Newsweek’s Top 100 hospitals and documented the identification of the Facebook Meta Pixel tracking activity on 33 of the websites.

Meta, the owner of Facebook, is currently facing lawsuits over their use of PHI obtained from hospital websites. More troubling to covered entities are the class action lawsuits being filed against them in relation to the sharing of information with Meta without a BAA. A quick search finds lawsuits against several major healthcare providers and evidence of others in the development stage.  

Additionally, several states have privacy laws that could be applicable to your organization. Several of these states have regulations related to privacy considerations on websites that should be considered as you do your risk assessment and any subsequent breach analysis.  

Listen to our Web Trackers and HIPAA Compliance podcast.

At CompliancePoint we have a team of experienced healthcare, information security, and privacy professionals. We have helped organizations of all sizes maintain HIPAA compliance. Contact us at connect@compliancepoint.com to learn more about how we can help your organization.