Skip to content
Free Beta
All posts

Why Tracking Technologies Could Affect HIPAA Compliance

Picture of Form Vessel By  Form Vessel  ·  5 minute read
Key Takeaway

HIPAA regulates how healthcare websites use tracking technologies like Google Analytics when they can disclose PHI to third-party vendors. This guide explains the HHS tracking technology guidance, how PHI is defined online, the difference between authenticated and unauthenticated pages, and how to reduce risk by isolating PHI flows.

Table of Contents

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney or compliance professional when interpreting HIPAA regulations.

Protecting patient privacy is one of the main goals of HIPAA. Many existing rules are straightforward, and it’s easy to see how they work toward that goal. Access restriction, data encryption, and audit log safeguards all make sense. When combined, they create a strong set of security controls that limit who can access protected health information (PHI) and implement a method to track non-compliant disclosures.

While these are simple, HIPAA also has many rules that are equally important for protecting PHI, but not as well explained. Sometimes the guidance is in a separate place from the rest of the regulations, so it’s easy to overlook. If it’s easy to find, it’s still likely to be extremely dense and filled with overly technical language. This is especially true of the guidance on the use of tracking technologies.

This information is incredibly relevant because many web builders implement tracking technology on medical sites without fully understanding how it is governed by HIPAA. This blog will clarify some of the confusion by exploring what tracking technology does and how it interacts with PHI.

What is Tracking Technology?

Tracking technology is a broad term for the many different methods and systems that are combined to assist with sectors like marketing, logistics, manufacturing, and security. Though HIPAA can govern many types of tracking methods, the most commonly implicated are solutions used for marketing. Marketers make use of these software packages to analyze how visitors interact with websites and apps. The most common solution is Google Analytics.

In general purpose settings, this data is invaluable. The digital landscape is always evolving. Marketing teams need every possible tool in their arsenal to ensure their clients continue to perform well. Tracking technology can help them identify exactly what content is performing well in terms of visibility and conversions.

This is still important in the medical field. Every practice wants to grow and attract new patients. Quality websites are more important than ever for that mission. The only problem is that marketing tracking technology is explicitly regulated by HIPAA:

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

While this seems to be written in no uncertain terms, it actually creates a lot more questions than answers. What counts as an impermissible disclosure? What HIPAA rules can be violated? What PHI do websites collect? Before answering these questions, it’s best to start with how PHI is defined.

PHI Simplified

Understanding Protected Health Information (PHI) is key to knowing how HIPAA interacts with the medical world. A lot of HIPAA confusion comes from not realizing that certain data counts as PHI, which can lead to critical oversights.

Before data can be classified as PHI, it must be Individual Identifiable Health Information (IIHI). The key to this term is in its name. It is any health-related information that can be used to identify an individual. This is intentionally broad and includes things like demographics, medical records, billing info, and more.

IIHI becomes PHI as soon as it is created, transmitted, maintained or received by a covered entity or business associate. The information is the same, but it is governed by different regulations depending on who or what is involved. For example, immunization records kept by a university are IIHI, but a university is not considered a covered entity under HIPAA. Instead, the Family Education Rights and Privacy Act (FERPA) generally governs how that data should be protected. If those same immunization records are tied to a patient’s provider, it is PHI.

That distinction is important to know, but it may still be a bit convoluted. Here’s an easy two item checklist that can help break it down further. To be considered PHI, information:

  1. Must identify an individual.

AND

  1. Relate to their past, present, or future provision of healthcare.

As long as the information is handled by a covered entity or business associate, that’s all it takes to count as PHI.

What is the HHS Guidance on Tracking Technology?

Now that the term PHI has been broken down, it’s easier to understand the HHS guidance. The rules explain that these tracking technologies may disclose information to tracking vendors. This can include medical record numbers, addresses, appointment dates, and IP addresses or geographical locations.

HHS also points out that the information can be PHI even if the individual has no existing relationship with the covered entity, or if it “does not include specific treatment or billing information.” This means that context matters in HIPAA enforcement. Information does not always have to mention treatment. In some cases, it can be inferred that healthcare is involved simply because of the situation. For example, if an individual were on a practice’s webpage looking for treatment options for their heart condition, the information collected by tracking technology could identify them and now relates to their current condition and future health care.

Authenticated vs. Non-Authenticated Pages

HHS makes a distinction on tracking technology for authenticated and non-authenticated web pages. An authenticated page is one that requires a user to log in. These pages are often tied to patient portals, telehealth platforms, and other systems that have expanded access to PHI.

This means that it’s important to ensure that any PHI used or disclosed by tracking technology is compliant with the HIPAA Privacy Rule. Additionally, it must be protected according to the safeguards outlined in the Security Rule. Furthermore, since the tracking vendors are handling PHI on behalf of a covered entity, they must enter into a signed business associate agreement (BAA). Without those components, tracking technologies cannot be implemented on an authenticated page.

Unauthenticated pages are those that do not require a login. This accounts for most pages a visitor will see on a website. Tracking technology on these pages can sometimes be safer because it can be more difficult to collect PHI. However, that does not mean it’s impossible, and there are cases where PHI can be accessed. For example, if a user’s email and IP addresses are collected while they’re on a page meant for scheduling appointments, that would likely count as PHI. In those situations, the same rules apply.

How Form Vessel Can Help

One of the best ways to protect against non-compliant disclosures from tracking technology is to isolate PHI flows. In the previous example about a patient filling out an appointment request form on a non-authenticated page, tracking technology could have full access to that information.

If the form was built with Form Vessel, it would be embedded on the page using an inline frame (iFrame). IFrames make it much more difficult for standard tracking technology to capture data from that element. It can only be done if specific setups are implemented to bridge the gap from the iFrame to analytics software. Form Vessel does not allow this due to our compliance-first focus.

Is Your Website Ready to Go?

Form Vessel is purpose-built for healthcare and can help any provider who needs a secure form solution on their website. It can allow marketing teams to still collect the powerful information they need to do their job without compromising form data. However, it is not a full website compliance solution. Form Vessel can help with one flow of PHI, but forms are not the only flow. Each case is different, and it’s important to work with your team to identify sources of PHI and implement solutions that safeguard them.

It can be an extensive process, but you can simplify a big part of it by relying on Form Vessel as your practice’s HIPAA-aligned webform solution.