Using website tracking technology on healthcare sites can be a double-edged sword. On the one hand, it can help healthcare organizations better understand user behavior, preferences, and interests. However, if not properly secured, this technology can also put users at risk of their sensitive data being accessed and used inappropriately.
In this episode:
Spitballing Website Tracking – Ep 390
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Spitballing Website Tracking
[06:33] Most people just think their website tells people what you do, where you are and how to contact them. What they don’t realize is that their website is actually doing a lot more than that. We covered this a little bit during our Amazon, Facebook, and PHI oh my! Episode.Website developers often don’t understand important privacy and security elements of HIPAA when they are creating a website for a healthcare organization. Things like patient privacy and website security. And now as we’ve seen the mess with the Meta Pixel, data breaches are being announced, healthcare entities are being sued and even Meta is being sued by hospitals.
Bottom line, before you use new analytics or tracking info from users who visit your websites, you need to do a risk analysis. If you’re going to have any kind of engagement with a patient from your website, then you do a risk analysis and question how it is achieved.
[12:09] HHS put out some guidance about this very topic:Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates – HHS.gov
An impermissible disclosure of an individual’s PHI not only violates the Privacy Rule but also may result in a wide range of additional harms to the individual or others. For example, an impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.
What a lot of people don’t realize is that the IP address is a PHI. Collecting an IP address alone may be harmless, but when you start collecting other information as well and are doing something with it, it’s a new ball game. If you’re gathering information, you’re gathering information. Now, you might want to know what applies to that information from a legal perspective. Keep in mind that even if HIPAA doesn’t apply, other privacy laws could. Many states now have their own privacy laws and even the FTC has a health breach notification rule. It’s possible that these rules might apply, if HIPAA doesn’t.
So, this comes back to vetting your vendors. Don’t assume that your website developer is only creating a website for you and generating traffic to it. You have to ask the questions because it’s possible they are not paying attention to information security.
[23:17] The good news is, there is a website, The Markup – Blacklight, where you can run a website URL through and it’ll tell you if the Meta Pixel technology, as well as other tracking technology, is being used on it. It is worth running your website through this tool. It might just be that the web developer doesn’t even know that the plugin they are using on your site has different trackers on there that would violate HIPAA.Don’t assume folks! Make sure your developers are properly maintaining your website too. Patching the website software, plugins being used and the server it is running on is also very important to help prevent your site from being hacked. Just listen to our podcast, Why Does Website Security Matter? – Ep 342, to learn why it is important to be certain that your web designers are properly managing, monitoring, securing and backing up your website.
Many website tracking tools create a problem that we should not ignore. Data vendors that want the personal data and that get the data, are not giving it up. They can use it in so many ways. Don’t just assume your web developers have it covered. Ask the questions. Have them confirm the tools they are using and what data they are collecting. Until we ask more questions of our doctors and hospitals and such, things will not change.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
