Is Your Website Data HIPAA Compliant?

Assessing Your Website’s HIPAA Compliance

Website design and implementation. Two items not previously recognizable as things that an assigned HIPAA Privacy or Security official would need to monitor. With the recent Online Tracking Technologies by HIPAA Covered Entities and Business Associates released by the HHSwebsite tracking technologies are now part of privacy and security that must be observed to remain compliant.

Read our recent post addressing OCR’s updated guidance about website trackers.

Since the HHS has determined that website tracking technologies can result in the collection of data that violates the HIPAA Privacy Rule, officials responsible for HIPAA Privacy and Security will want to be part of the conversation with a website developer, hosting provider, or marketing team. 

Their involvement will ensure covered entities and business associates that the data collected on a website remains private and secure at all times, whether it’s being used, stored, or transmitted.

What are Tracking Technologies?

Websites commonly use tracking technologies to gather data about visitors’ behavior using the website. Cookies, beacons, and pixels are used to improve website performance, personalize content, and optimize the user experience. These tracking technologies also allow users to be tracked across the Internet, where they collect more information about them to build detailed profiles. While the website developer or marketing team may know what trackers are installed on a website, the website user will not be aware. 

How Do Tracking Technologies Put PHI at Risk?

Protected health information (PHI) is any information about a patient. This can include patient information such as name, email address, telephone number, or appointment time. It can also include the patient’s condition, treatment, or payment information.

Tracking technologies can risk protected health information (PHI) when they collect and share PHI identifiers without consent or proper safeguards.

An example is when a website shares user data with a third-party, such as Meta Pixel, to track analytics for advertising purposes. The shared data could be considered PHI. If the shared data is unauthorized or misused, then it is subject to violating HIPAA Privacy and Security standards.

To make matters more misleading, third-party vendors are often unclear about how they use or transmit the shared data. The uncertainty surrounding how third-party trackers collect and utilize the shared data is what makes it a threat to individuals’ privacy rights under the Health Insurance Portability and Accountability Act (HIPAA).

Is the Current Website Putting Patient Data at Risk?

A website audit is the best way to determine whether your organization’s website is risking patient health information.

The role of a HIPAA Privacy or Security official is defined by having the appropriate measures in place to protect individuals’ health data from unauthorized access or misuse. This includes regular audits of organizational systems, practices, policies, and procedures to maintain HIPAA compliance.

Your organization’s assigned HIPAA Privacy or Security official will want to audit your website to determine if:

  • Any PHI is being transmitted through the website
  • If any PHI is stored on a server connected to the website
  • If any PHI is collected on the website
  • If any third-party trackers are used
  • Create an action plan to address issues


Once you know the status of your website’s analytics practices, you should review data collection, storage, and processing procedures to evaluate the appropriate security measures you have in place.

During the audit, your organization’s HIPAA official may want to meet with the website developer or marketing team to review their process and help determine whether any third-party website trackers can be used.

Maintain a HIPAA Compliant Website

To maintain a HIPAA compliant website, the data collected must remain private and secure at all times, whether that is being used, stored, or transmitted. By incorporating safeguards to protect PHI on your website, you’re already tackling essential elements needed to be HIPAA compliant.

Therefore, website owners and operators must be aware of the potential risks associated with tracking technologies, take appropriate measures to safeguard PHI, and comply with HIPAA regulations. 

Introducing TrackerReveal

A new PrivaPlan service powered by Cyndelos

Still, trying to figure out where to start? Let us help!

We proudly announce a new service to support healthcare providers and business associates in their website HIPAA compliance efforts! 

We provide a custom scan of your website and identify third-party tracking technologies. We then craft a tailored plan of action to meet your compliance needs. 

Now you won’t have to compromise patient privacy to maintain a functional website. Contact us today to learn more! 

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.