IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites
A quick note before you read: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.
As a healthcare organization, using web trackers that collect IP addresses on your website could put you in hot water with the HHS.
The HHS considers IP addresses to be personal identifiers, so sharing IP addresses and health information with third-party trackers could count as a HIPAA violation.
Let’s dive into what exactly IP addresses are, how they’re connected to patient privacy, and what you can do to make your web trackers HIPAA-compliant.
What are IP addresses?
An internet protocol (IP) address is a unique set of characters that is assigned to every device on the internet.
In the online world, your IP address is like your postal address. Without it, your phone or computer could not send and receive information.
For example, when you opened Freshpaint’s website, the following things happened:
- Your computer connected to the router
- The router connected to the server of Freshpaint’s website
- The server retrieved the information (the website) and forwarded it to your device
Your computer, the network router, and the web server all have unique IP addresses. They use them to deliver the correct information to the correct device.
You get a new IP address every time you use a new internet connection. That’s because your internet service provider (that assigns IP addresses) changes.
Where does privacy come in?
At first glance, it doesn’t seem like your IP address contains any sensitive information. What can you possibly tell from a collection of numbers and characters?
But the reality is that collection of numbers and characters actually reveals a user’s geographical location. This may include a user’s zip code or the town they live in, but not their exact address. Even though IP addresses don’t reveal specific addresses, they’re still a personal identifier in the HHS’s eyes.
The HHS specifically says, “All geographic subdivisions smaller than a state,” is a personal identifier. IP addresses are, without a doubt, “geographic subdivisions smaller than a state.”
Why do tracking tools need access to IP addresses?
Many tracking tools collect IP addresses for analytics, advertising, and general functionality. This could be true even if they’re not sharing them with the end-user, aka you.
Take Google Analytics (GA) as an example. Although GA no longer stores the IP addresses of your website visitors, it still uses them to pinpoint their location. And this geographical data is available in your GA dashboard. You can use it to understand where most of your website visitors come from, the pages that are most popular with visitors from specific locations, and other demographic insights.
Important note: GA not storing IP addresses doesn’t mean it’s HIPAA-compliant. The HHS guidance is concerned with sharing PHI with trackers, which you’re still doing if you’re using the native tracking technology.
Or look at the Meta Pixel, which businesses use to measure conversions and track visitor behavior. The Pixel collects IP addresses for advertising purposes. Meta uses that information to personalize ads, improve ad targeting, and help you understand performance.
Vimeo is another commonly used tracker that will appear on your website if you embed videos from this platform. It automatically collects IP addresses for analytics.
And that’s only a few of the trackers that collect IP addresses. There are dozens, if not hundreds, of others that most websites use everyday. Any web tracker that helps with ads, analytics, video, mapping, user experience, consent management, and so many others, has access to the IP addresses of your website visitors.
So, using any web tracker, without a BAA or a tool that governs the data they receive, is very risky.
Why are IP addresses considered risky for HIPAA compliance?
An IP address on its own doesn’t reveal any health information, so why does the HHS consider it to be a risky technology?
As we’ve talked about before, personal identifiers combined with health information constitute PHI. IP addresses are personal identifiers. So, if your tracking tool logs an IP address of a user and the page containing health information the visitor viewed, that combination is PHI. That’s a HIPAA violation.
When someone visits your healthcare organization’s website, their visit is an indication they have or will receive healthcare services. It doesn’t matter whether you have a business relationship – their visit is still connected to their healthcare needs.
Let’s say you are a clinic that specializes in multiple sclerosis. On your website, you have tracking technologies that collect IP addresses alongside pageview data from the specific multiple sclerosis treatment pages that visitors have viewed.
After a patient visits your website to research their condition, their activity on your website is logged in Google Analytics. Then, they start seeing ads on social media and other websites that promote treatments for multiple sclerosis.
This is a major violation of patient privacy. Your analytics trackers are the cause of that situation. And to really drive it home, Cedars-Sinai Medical Center is currently involved in a lawsuit due to a similar scenario.
Fortunately, you can prevent this from happening. And it doesn’t involve removing all trackers from your website.
The next step: Audit your website for trackers that collect IP addresses
In our Privacy-First Framework, we outlined a five-step process to help you find, analyze, and manage third-party trackers on your website.
The first step in this process is auditing your website for web tracking risks. With an inventory of all the tracking technologies you use, you can analyze whether they’re collecting IP addresses and other PHI.
If you don’t have a Business Associate Agreement (BAA) with the tracking tools that gather PHI, then you need to implement technology (such as a Healthcare Privacy Platform) that will prevent PHI from being passed down to these tools.
This way, your marketing team can continue to use trackers and drive business growth, without the risk of hefty fines and lawsuits.
