New HIPAA Requirements for Website Analytics

It’s Time to Evaluate Your Healthcare Clinic’s Website

Are your website analytics HIPAA compliant? This is the question healthcare organizations need to start asking.

Social media and internet searches are the go-to for patients looking for the right type of health care, making marketing a key role for healthcare organizations. In the process of marketing, websites might employ strategies to track website analytics and collect data about their marketing performance.

However, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has determined that using third-party tracking pixels can result in the collection of data that violates the HIPAA Privacy Rule.


What Are Website Tracking Tools?

Tracking technologies are tools used to monitor and analyze how users interact with websites or smartphone apps. These are typically scripts or codes added to the website or app and can be found in cookies, web beacons, tracking pixels, session replay scripts, and fingerprinting scripts Google Analytics and Meta Pixel are two examples of tracking tools.

This is because some of the data tracking tools collect data that can include individually identifiable health information such as:

  • IP address
  • email or home address
  • date of appointment
  • medical device IDs
  • specific symptoms or health conditions


For example, an individual with diabetes may visit an endocrinologist’s website to learn more about their condition, check out the doctors who specialize in treating it, or schedule an appointment. The website’s third-party tracking tool may collect the person’s IP address and scheduling activity.

The HHS states that healthcare information collected from a healthcare website or app is considered PHI even if the individual does not have an existing relationship with the healthcare organization. This includes the data of their IP addresses or geographic location.

The collection of this kind of data can indicate an individual’s past, present, or future health treatment of payment for it. According to the HHS, this indicates that an individual received or will receive services from the healthcare provider, making the data collected a potential violation of HIPAA regulations.


Keep Your Website HIPAA Compliant

Covered entities need to evaluate their analytics setup and understand their options for achieving HIPAA compliance. Your best course of action is safeguarding any protected health information (PHI) by auditing your website for a list of third-party tracking technologies and finding tracking vendors willing to sign a business associate agreement (BAA). This involves carefully reviewing the data collected by tracking tools and ensuring that it does not include individually identifiable health information.

Healthcare organizations will want to ensure their website analytics are HIPAA compliant to avoid consequences, including fines, penalties, and reputational damage. Non-compliance with HIPAA regulations can result in financial penalties imposed by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). More importantly, breaches of patient privacy often lead to the loss of patients and business.

PrivaPlan Associates offers custom scans of websites to find third-party trackers. We can also review vendors to determine if they meet the definition of a business associate requiring a BAA. Contact us today!

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.