Skip to main content


PHI and Online Tracking Technologies

Guide to Healthcare Journey Map

Recently, the Health and Human Services Department (HHS) came out with guidance regarding the use of online analytics technologies.  This guidance will impact a lot of Provider and even some payer websites.  This includes hospitals, clinics, medical groups, imaging centers, and more. It gives more insight into how healthcare organizations can better ensure patient data is not inadvertently revealed.

Why Guidance and Not a Rule

This guidance has to with HIPAA which is an existing law and for which many organizations already spend a lot of effort ensuring the privacy of that data.  the guidance focuses on where most people might think there is no issue. Many think that Patient data is behind firewalls and logins and not available on a simple .com site. Why should we worry?  It turns out that there is risk and we need to ensure we do incorrectly expose the wrong data.  Here’s what the HHS have to say about this guidance on their web site.

Tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications (“apps”). For example, a regulated entity may engage a technology vendor to perform such analysis as part of the regulated entity’s health care operations.5 The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).6 Some regulated entities may share sensitive information with online tracking technology vendors and such sharing may be unauthorized disclosures of PHI with such vendors.7Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures8 of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.9

What Advice Does HHS give?

Let’s break down the advice around tracking and HIPAA

  • This is applicable to online tracking technologies. (web analytics, embedded scripts, etc.)
  • HIPAA rules apply when information collected is disclosed to the tracking tools
  • Providers are NOT permitted to use tracking technologies that result in PHI disclosures
  • This applies to authenticated and unauthenticated scenarios
  • For example, gathering PHI during an online appointment schedule
  • IP addresses count as PHI
  • You need to determine if a tracking vendor requires a BAA

What Do Providers Need To Address

Even simple web sites like your hospital’s main site can collect PHI.  Let me walk you through some examples of where you must be very careful about the use of web tracking technologies.

Find a Doctor

When you schedule an appointment you collect PHI in the form of  name, address, reason for the appointment, type of doctor you are seeing, etc.  If you use a web tracker of any kind as you capture this information and that web tracker captures this PHI in their public, unencrypted cloud, then you have a HIPAA violation.

Class or Interest Forms

Many hospitals provide classes and newsletters but as they capture information to register interest or register for the class, they may tie identifying information to a condition.

Clinical Trial Finder

In the same vein, registering interesting in a specific clinical trial then that interest has a potential to capture PHI if you also use non-HIPAA compliant tools to track these transactions.

The Bottom Line

Providers need to be very careful when using web and social analytics tracking tools on their public facing sites.  These sites do capture PHI.  All Providers sites already securely capture it in a variety of forms for transfer to their internal systems.  Providers just need to ensure that other analytics tools don’t capture that data and deposit it in their public cloud.

I’ll discuss some additional challenges and do’s and don’t around PHI and web analytics next time.

Thoughts on “PHI and Online Tracking Technologies”

  1. As an avid reader and concerned advocate for privacy rights, I found your blog post on PHI and online tracking technologies to be incredibly insightful and relevant in today’s digital landscape. It is undeniable that the rise of online tracking technologies has raised significant concerns regarding the security and privacy of Personally Identifiable Information (PII) and Protected Health Information (PHI).

    The convergence of healthcare and technology has undoubtedly brought about numerous benefits, but it has also opened the door to potential vulnerabilities and risks. Your article does an excellent job of shedding light on these issues and emphasizing the need for robust measures to safeguard PHI from unauthorized access and exploitation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Michael Porter

Mike Porter leads the Strategic Advisors team for Perficient. He has more than 21 years of experience helping organizations with technology and digital transformation, specifically around solving business problems related to CRM and data.

More from this Author

Follow Us