Website data practices are a dark, dusty, overlooked corner of risk management that should not be ignored in your broader security strategy. Recent investigations into the website data practices at major U.S. hospitals have revealed serious flaws in the way third-party trackers behave on their websites and patient portals. Any company that is covered by HIPAA needs to pay close attention to these trackers and their access to protected health information (PHI).
Much of the work of healthcare is now completed online or digitally. Online appointment scheduling, provider messaging, and prescription management make healthcare easier and more streamlined for both physicians and patients. But going digital means that more PHI is collected, transmitted, and stored through a wide variety of tools and systems.
Your company’s website may be a place where PHI is collected and transmitted. If you are subject to HIPAA and handle PHI at any level, you need to assess your site for third-party trackers that could be accessing and disclosing data behind the scenes.
Who Is Covered by HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. It covers health plans (including insurance and health maintenance companies, plus government programs like Medicare); healthcare providers of every kind; healthcare clearinghouses; and business associates of HIPAA-covered entities and their subcontractors.
The list of business associates of HIPAA-covered entities is nearly endless. It includes billers, attorneys, CPA firms, pharmacy benefit managers, cloud services providers, and many others. Basically any entity that can access, store, use, or transmit PHI is covered by HIPAA.
What Are HIPAA’s Rules About PHI?
Under HIPAA, covered organizations that create, receive, maintain, and/or transmit PHI must take specific measures to protect it.
The transmission of PHI includes email, text, and web forms (your website!). Storage of PHI includes apps and data centers.
If your business and/or its websites transmit health information specific to individuals, you need to screen your chat features, forms, scheduling tools, loyalty programs, and client portals for risk factors, including, but not limited to third-party trackers.
Meta Pixel + Health Systems = Bad News
Meta Pixel is Facebook’s retargeting tool (a tracker). It’s essentially a code snippet that is inserted into the back end of a website. Developers and marketers use the tool to improve financial returns from marketing investment. Retargeting tools are the reason certains ads “follow” you to different websites as you work or surf the web.
Last June, The Markup published the results of its Pixel Hunt project. The crowd-sourced collaboration with Mozilla Rally used volunteers to gather data on Meta Pixel’s behaviors on the web.
The project found that one third of the top 100 U.S. hospitals (HIPAA-covered entities) were sending sensitive data to Facebook via Meta Pixel. The code was found on the hospitals’ public appointment scheduling pages.
Data sent to Facebook via the public websites included the doctor’s name and the search term used to find the doctor. The data was connected to an IP address, which can generally be linked to an individual or household. Facebook would have been easily able to discern if you (or someone in your home) was making an appointment because you were pregnant, depressed, rashy, addicted to pills, trying to quit smoking, concerned about a mole, etc. Information you might not like anyone to know. And information that is illegal to share without consent.
Most shockingly, The Markup found that seven of the top 100 hospitals had pixels installed inside their password-protected patient portals. The data shared via the pixel here included patient medications, allergy information, and details of upcoming appointments.
Fallout from Lack of Compliance
The Markup spoke with a number of legal experts, health data security experts, and privacy advocates who agreed that the hospitals’ use of Meta Pixel may have violated HIPAA. One expert said, “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
A class action lawsuit was brought against Mass General Brigham Inc. in September 2021. The plaintiffs in the suit alleged “that the defendants did not obtain sufficient consent when placing third-party analytics tools, cookies and pixels on their general and publicly accessible websites.”
The cookies/pixels were used to gather information on patients that was subsequently sold to third parties. The defendants denied any wrongdoing or liability but agreed to settle out of court in the amount of $18.4 million.
What You Can Do
Cleaning up your website data practices is worth the effort to maintain compliance with HIPAA and any other standards that cover your industry.
Any company dealing with sensitive information can start by scanning its website for third-party trackers like Meta Pixel. Additional steps include implementing an SSL certificate on your site(s) and encrypting all web forms. For website hosting, look for vendors who are HIPAA-compliant and accustomed to doing business in that space.
If you transmit PHI in the course of normal business, use only encrypted servers for email. And then limit the employees who can access PHI to only those who truly have a business need.
If you need help reviewing your websites for third-party trackers and other risks to your compliance with HIPAA, please reach out to Asylas. Call us at 615-622-4591 or firstname.lastname@example.org. Or complete our contact form.