HIPAA Guidelines for Tracking Technology Use

HIPAA and HHS Rules When Using Tracking Technologies 

‍

The U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA). OCR recently released updated HIPAA guidelines for companies collecting data on how users interact with their websites and/or mobile apps. This marks the first time the agency has opined on the matter since HIPAA was signed into law in 1996. 

We examine how the update impacts:

• The use of tracking technologies such as cookies and pixels, on user-authenticated web pages, unauthenticated web pages, and mobile apps
• How your business needs to evolve 
• PulsePoint’s continued HIPAA compliance

‍

The New HHS Guidelines

HHS states:‍

Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.

‍

What is HIPAA?

HIPAA provides data privacy and security provisions for safeguarding patient health records and medical information.

HIPAA requires and ensures this information is protected from disclosure and misuse. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) expanded HIPAA to cover all business associates with access to health information, which includes marketing data, operations, and call tracking providers. 

‍

Privacy and Security: Key Components to HIPAA Compliance

• The Privacy Rule dictates what is considered Protected Health Information (PHI), also known as Personal Health Information, and who may use and access it. 
• The Security Rule describes how this information is protected, including operational safeguards and technical measures.

‍

What is Protected Health Information (PHI)?

PHI generally refers to information such as demographic information, medical histories, testing and laboratory results, mental health conditions, insurance information, and other sensitive data that a healthcare provider collects to identify an individual and determine appropriate care.

‍

How Does PHI Relate to Tracking Technologies?

Tracking technologies are pieces of software code used to gather information about users as they interact with websites or apps.Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts to track and collect information from users. This information is analyzed and used to help improve and refine the customer journey. They can track online behavior such as site conversions, web traffic, and more. While there are many different uses for tracking technologies, in digital marketing they can provide insights for advertisers to improve campaign planning, targeting, and optimization. However, this can pose an issue for data protected by HIPPA. 

‍

According to the HHS:

The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).

HHS and OCR highlight the following requirements for healthcare providers to ensure HIPAA-compliance and safeguard PHI when tracking online behavior:

1. Authenticated web pages, like telehealth or patient information portals, require a patient to log in for access. They often contain sensitive and trackable PHI. Healthcare providers must follow HIPAA's Privacy and Security Rules to secure this information.

‍

2. Unauthenticated web pages don’t require login credentials, but may still have access to PHI. For example, patient registration, appointment booking, or pages connecting patients to specialists in their area all contain sensitive, identifiable information. However, tracking technologies on regulated entities’ unauthenticated web pages generally do not have access to PHI, so HIPAA rules do not apply to such use of tracking technologies. 

‍

3. Mobile apps containing PHI, such as those managing personal healthcare or billing information, must remain HIPAA-compliant. However, if a user voluntarily inputs their PHI into an app not developed or offered by regulated entities, such as healthcare providers, their data is not subject to HIPAA regulations. Keep in mind, though, that even where HIPAA rules may not apply, other privacy laws, like the FTC’s Health Breach Notification Rule, may apply.

‍

How PulsePoint Approaches HIPAA Compliance and Data Transparency 

At PulsePoint, we continue to evolve our solutions and technology to comply with changing legislation, privacy concerns, and navigate evolving technology. We take data management, data privacy, and security seriously. While we can’t predict the future, we are committed to helping brands better understand and reach health audiences through a deep understanding of data and technology. 

‍

We Protect Privacy with Transparent Policies:

Our privacy policy explains our practices regarding the collection, use, and disclosure of information on our media activation platform.

• All patient data is de-identified by data partners prior to being on-boarded. 
• We maintain separation between PHI within a HIPAA-compliant space and digital identity.
• We work with an expert third party to help maintain HIPAA compliance.‍

PulsePoint is a longstanding member of the Network Advertising Initiative(NAI), and adheres to the industry self-regulatory guidelines of the:

(i) NAI Code of Conduct; 

(ii) the Digital Advertising Alliance,

(iii) the European Digital Advertising Alliance, and

(iv) the policies of the IAB EU Transparency & Consent Framework. 

PulsePoint continues to implement and update our processes and policies as required to comply with legislation and regulations like The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). 

‍

PulsePoint’s Use of Cookies and Pixels

PulsePoint collects Non-PII through technologies such as “cookies” and “pixel tags” (which are also called clear GIFs, web beacons, or pixels). “Cookies” are small data files that are stored by your web browser on your computer. When you visit a webpage, the cookie sends back Non-PII. “Pixel tags” are small graphic images (usually invisible) that can be embedded in content and ads on a webpage that track usage of our websites and effectiveness of communication. These pixel tags can then be used to recognize PulsePoint’s cookies and to monitor certain user interactions with a website.

‍Cookies and these other technologies are important and useful because they allow us to recognize your device and remember information about you, such as your preferred language and other general settings. Most of the cookies are stored in your browser, which usually gives you the ability to manage them (though browsers for mobile devices may not offer this possibility).

A user has several choices when it comes to opting out of the collection of information about your web browsing activities through cookies. For additional information, please review our Cookie Policy.

‍

Fair, Balanced Data Value Exchange and “Data Minimization”

We support transparency of data use to empower an individual’s rights over their information. We do not collect sensitive data and in exchange for any non-sensitive personal information that is collected, we provide relevant information and health resources so consumers benefit directly. Consumers are also able to opt out of data collection at any time.

‍

Measured and Accountable By High Standards 

While PulsePoint’s technologies are built for healthcare, we are committed to self-regulation in addition to adhering to government regulations. To achieve this, we instill best-in-class analytics and quality practices into data acquisition, processing and reporting. 

If you would like to learn more about or discuss the implications of placing pixels on your website for your media campaigns, contact us here.

‍