Understanding Tracking Technologies Is Crucial for Health Sites, Say Privacy Pros

Not only has the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR), enforced tracking-related technology regulations recently, but so have DOJ, the FTC and other agencies, said Ivan Tsarynny, founder of data protection vendor Feroot. That trend is "growing and ... becoming more and more impactful,” he added.

“If you follow [a] risk-based analysis and risk-based model for making decisions," the probability of a risk happening "is definitely increasing in terms of the cost and probability,” he added.

Many health care websites use embedded tracking technologies that "often can and do access various types of sensitive information, whether it's" protected health information (PHI) or personally identifiable information (PII), Tsarynny said. This isn't done maliciously, "it's just the nature of those technologies.”

Jason Frame, chief security officer of the Southern Nevada Health District, said this issue wasn't on his radar until a few years ago.

At the height of the COVID-19 pandemic, when there was heavy site traffic of people registering for tests and vaccines, he noticed that “PHI data was being captured as part of the query string or as different things,” which “really opened [his] eyes.”

“What we learned" is that we had to deactivate anything with PHI on it, "because we didn't have [a HIPPA Business Associate Agreement (BAA)]" that would permit the website to collect that information, Frame said. Once it obtained the BAA, his team reactivated the app dynamics, “but it still made me uncomfortable knowing that that data was being shared with another company, because, [with] the HIPAA rule, it's … the least amount of access necessary, and they didn't really need access to the actual data to check out the flows, in my opinion.”

From there, he was able to figure out what other site elements were capturing patient data. He then customized operations to balance marketing and communications with limited data collection to protect customers.

Jim Buda, a cybersecurity and audit practitioner, said one of the first things he examines during an audit is a site's cookies. “One of the biggest things we saw is you’ve [got to] be able to understand how your technology integrates into everything else,” he said. “When you're coming in for a HIPAA assessment for the first time or writing the assessment, make sure you understand what technologies are in scope for you.”

A comprehensive evaluation that considers data security throughout a company is helpful too, so everyone is on the same page, Buda added.

Frame also noted that lawsuits can easily be filed over nonconsensual tracking, so it’s best to be aware of and limit the amount of data tracked. “It's a very litigious society right now, so I think we need to be doing our best to make sure that we're lowering that risk, and it's also doing right by our patients.”

Tsarynny said state laws, in addition to HIPAA and other federal statutes, can make compliance operationally challenging, so it’s best for businesses to remain vigilant.

In addition to understanding what tracking technologies you're deploying on your website, Buda recommended companies conduct risk assessments and ensure they have control over their tech as a backup, to be prepared if you're audited.

“The cost of maintaining [awareness and good data practices] compared to the cost of a breach is very little,” Frame said. “It's like a small insurance policy to avoid us having a big breach later on, and keeping it operational that way, and preventing that data from going out.”