Are your web trackers violating HIPAA?

HealthInfoSecurity.com reported “Federal regulators warned healthcare entities over commercial web traffic trackers embedded into patient portals, saying their use may violate patient privacy law.”  The December 1, 2022 report entitled " HHS: Web Trackers in Patient Portals Violate HIPAA” (https://tinyurl.com/y4fdbpfk) included these comments:

A Department of Health and Human Services bulletin (https://tinyurl.com/yu4epsbw) issued Thursday says entities covered by HIPAA can't use the trackers if they transmit protected health information without patient consent or if they don't have a signed a business associate agreement with the technology tracking vendors. Violations of HIPAA are punishable by fines, and in rare cases, by criminal prosecution.

The bulletin specifies that trackers embedded into login pages such as a patient or health plan beneficiary portal or a telehealth platform are particularly susceptible to transmitting protected health information if they contain trackers. Tracking technologies on those webpages generally have access to PHI, which could include an individual's IP address, medical record number, home or email addresses, dates of appointments, diagnosis, treatment or other information, HHS says.

Those sites should be configured to ensure that any data disclosure to third parties such as Facebook and Google is made with patient consent and that the information is "protected and secured in accordance with the HIPAA Security Rule."

Unfortunately there are no surprises in this report!