A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites

Eminem once rapped about seizing opportunities in a single moment, a philosophy that tech giants like Facebook and Google have adopted to gather data on your website visitors. 

Facebook and Google try to seize as much information about your website visitors as possible. They want to figure out who those people are, why they’re on your website, and what they’re learning from your website.

That’s not to say those are dangerous or nefarious tools. They’re not. They just function on consumption. The more data they take in, the better their ad algorithms. 

That’s fine in most industries but not in healthcare when it comes to HIPAA compliance. Bet you didn’t see this article starting with Eminem and turning to HIPAA, but here we are.

The fact of the matter is this: there are tools on your website that capture data about your users. It’s not just Facebook and Google. There might be dozens of tools gathering data. Those tools can directly lead to HIPAA violations.

Understanding the tech on your website is crucial for HIPAA compliance. Still, it isn’t straightforward—employees, agencies, and others may have placed tracking tech on your website. 

That’s a problem. 

To help you solve it, we put together the Privacy-First Framework. This framework will help you understand the tech on your website and determine what to do about it. 

What is the Privacy-First Framework?

The Privacy-First Framework is a five-step process to help you lock down the tracking technologies on your website so that you’re not inadvertently sharing PHI with any unauthorized third party. 

The Framework starts with a comprehensive audit of your websites' and apps' tracking technologies. During this portion, you’re looking for analytics trackers, advertising trackers, and more. 

Then, you’ll move into analyzing if those trackers are sharing Protected Health Information (PHI). 

If they are receiving PHI, the third step is verifying that you have a Business Associate Agreement (BAA) in place with that tracking technology. 

If those tools are receiving PHI, but you don’t have a BAA in place, you now need to govern the flow of data to those tools to prevent PHI from getting to them.

Lastly, you need to continuously monitor your websites and apps so you can stop any new trackers from receiving PHI.

Read on for a breakdown of each step, with instructions on how to do it.

Step 1: Audit

The first step is to make a list of all of the tracking tech that exists on your website. At first glance, this sounds like a pretty easy task, but it can be complicated because you need to work with multiple teams to find tracking tools that no one knows about.

To do the audit, you’ll need to partner with your product, marketing, IT, and legal teams.

Your marketing and product teams are essential because they’re the most likely users of the tools, but your IT team has the biggest role in the audit. They need to be responsible for pulling together the list of tracking technologies. Having your legal team in the room will help the entire audit team understand the risk with tracking technologies. 

And there is a lot of risk here. The FTC has been cracking down on healthcare organizations sharing Protected Health Information (PHI) with unauthorized web tracking tools for the past year. More recently, the FTC released a joint statement with the HHS to warn healthcare organizations about the dangers of this technology.

Back to the task at hand, to do this audit, you need to ask each team to do a little bit of homework. Have each team to create a list of the tracking tools they have installed on the website and in your apps. 

Ask the marketing team to put together a list of all the marketing analytics and advertising tools they currently use or have used. This list will include things like Google Analytics, Google Ads, Facebook Ads, and so much more.

Have the product team do a similar exercise but focus on the product analytics and user behavior tools.

The IT team has the biggest task. They need to make sure the other two teams missed nothing. For this, ask them to open up Google Chrome, navigate to your website, and use Chrome DevTools to create a list of all resources from the Sources tab. This list will include things like:

• google-analytics.com – This is the URL that loads Google Analytics
• googleads.g.doubleclick.net – This is the URL that loads Google Ads
• connect.facebook.net – This is the URL that loads the Facebook pixel

Read more: 8 Common Web Trackers That Could Jeopardize Your Healthcare Website’s HIPAA Compliance

Ask each team to send you their list, and put all of the tools into one spreadsheet with these columns:

• The tool
• Which department owns the tool
• Does the tool collect PHI?
• Do you have a BAA with the tool?
• Notes

We’ll get into each column in the next steps of the framework.

Once you have that list, it’s time to be a detective. Each team will work together to figure out what each tool is and what it does.

You may want to schedule a meeting to go through each tool one by one. Ask whichever team owns the tool to explain the functionality. If the owner is unsure of the functionality, that’s okay. It’s not uncommon to find tools on your website that a previous employee or agency installed, and as a result, no one currently knows what it does. But you still need to figure out what the tool is if it’s installed on your website.

The best way to do this is to Google the exact URL of the tracking code. For example, if your IT team has “googleads.g.doubleclick.net” on the list, perform a Google search for “What is googleads.g.doubleclick.net?”

Once you figure out what the tool is, make a note of it and move on to the next step.

Read more: IT team has no bandwidth to help? Here’s what you can do.

Step 2: Analyze

Once you have a basic understanding of each tool, you now have to analyze which tools are receiving Protected Health Information (PHI). If you’re unsure of what PHI is, read an explainer of PHI.

When it comes to tracking technologies with access to PHI, this is the general rule you’ll want to follow:

Every tracking tool on your website has access to the IP address of your website visitors. IP addresses are personal identifiers and are one-half of PHI. The other half is health information. If you’re also sharing health information with those tools, you might have a HIPAA violation on your hands.

A quick note on IP addresses: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

How do you know if you’re sharing health information with a third-party? Login to the tool, and start digging through the data. As you do that, ask these questions:

• Is it tracking pageviews from web pages that focus on specific conditions? Pageviews could be inferred to determine a visitor's physical health or condition.
• Is it tracking video views from videos on your website that talk about specific conditions? Videos viewed could be inferred to determine a visitor's physical health or condition.
• Is it collecting appointment scheduling or prescription information? A scheduled doctor's appointment or medication prescription would indicate that healthcare is being provided.
• Is it collecting payment information? Any invoice, bill, or attempt to obtain payment for provisioned healthcare services would be considered health information.
• Is it collecting form fill information? Forms that patients fill in can collect both health information and personal identifiers.

The takeaway is that if the tool receives various types of data—such as URL data, specific user actions on a website, and form fills—it is likely collecting PHI. This is especially true given that, as previously mentioned, these tracking tools already have access to IP addresses, which are considered personal identifiers.

Once you understand if the tool is collecting PHI, mark it on your spreadsheet. At this point, your list of tools should contain those that receive PHI and those that don’t. Now, you need to move on to step 3 for the tools receiving PHI. 

Read more: IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites

Step 3: Verify

In Step 3, you need to verify if you have a comprehensive Business Associate Agreement (BAA) in place with each tool that collects PHI. 

A comprehensive BAA needs all the provisions in the U.S. Department of Health and Human Services’s (HHS) sample BAA, along with:

• Automatic renewal. Comprehensive BAAs should automatically renew each year. That way, there is no chance of the agreement lapsing.
• Indemnification principles. These principles explain who is obligated to cover losses incurred throughout the duration of the agreement.
• Termination clauses. Specifically, what happens to the data once the agreement is terminated?

With that in mind, verifying your BAA requires a multi-step process. The first step is to ask your audit team, “Do we have a BAA in place with the company behind this tracking tool?”

If the answer is “Yes, we have a BAA in place” then you need to make sure it has automatic renewal, indemnification principles, and termination clauses. If the BAA doesn’t have those, you may want to revisit it, depending on your company’s risk appetite.

If you don’t have a BAA in place, there are a few ways to go. First, see if you can get one. Reach out to the company and ask if they’ll sign one. If they’ll sign one, great. Make sure it has all the provisions mentioned above. 

If the company won’t sign a BAA, you need to either find an alternative tool or move on to step 4 of the Privacy-First Framework.

Read more: How Do You Know When You Need a Business Associate Agreement?

Step 4: Govern

You’ve made it to step 4. At this point, you should have a list of all the tracking tools on your website, which ones collect PHI, and which ones you have a BAA with.

That leaves a few tools that you don’t have a BAA with. Those tools are often the trackers that run your direct response, programmatic, and remarketing ads. You have two options here:

1. Get your engineering team to build the functionality to stop passing PHI to those tools
2. Use a Healthcare Privacy Platform to govern the flow of PHI to those tools. 

Having the engineering team build this is entirely possible, but it is cost- and time-prohibitive for most companies. And even the companies with the resources (time and money) usually choose to allocate those resources elsewhere.

When asked about the time commitment required to build this for Two Chairs, Henry Lyford, the company's Engineering Manager, said, “I could see this being an entire engineer's time.”

So yeah, it’s possible, but you’d have to hire an engineer solely dedicated to this task. That’s expensive, and it will take a significant amount of time. 

The other option is using a Healthcare Privacy Platform. Full disclosure: Freshpaint is a Healthcare Privacy Platform. 

Read more: Privacy First: Healthcare Privacy Platforms vs Generic CDPs

We’ll get into how these tools function in a second, but let’s talk about the table stakes of these tools. Each Healthcare Privacy Platform you’re considering must sign a BAA when you sign a contract with them. They’re not a good tool to use if they're unwilling to do that.

When it comes to functionality, these tools sit in between your website and the marketing tools you use. They work by collecting data from your website then governing that data to prevent PHI from getting to third-party tools. 

Once you have one of these tools in place, you’ll have complete control over your data and can prevent PHI from going to any non-BAA-protected tools.

Step 5: Monitor

Now that you’ve gone through the first four steps in the Privacy-First Framework, it’s on to the most important step: continuous monitoring.  

Monitoring is essential because new trackers may get added to your website from time-to-time without you knowing about it. If the marketing team brings on a new agency, that agency may install a tracking tool without anyone’s knowledge. Or someone on the product team may be testing a new analytics tool and install a tracking tool without mentioning it. 

It’s easy to tell everyone, “Don’t install anything without approval.” But it’s not always realistic to expect everyone to listen to you. That’s why you need a continuous monitoring process.

Ask your IT team to run a monthly report of all the tracking technologies on your website. Have IT send you that list so that you can compare it to the list you just created from this framework. 

You will find new tools from time to time. That’s okay. When that happens, circle back to Step 2 in our Privacy-First Framework and work through the steps again. Analyze the data it is collecting and verify that you have BAA in place. If not, govern that data with a tool like Freshpaint.

What Now?

This five-step process isn't a one-and-done deal. It’s an ongoing commitment to maintaining the privacy of your website visitors.

As tech companies like Facebook, Google, and others continue to advance their data-collection capabilities, you need to continue your fight to protecting your website visitors. Forgetting or overlooking even one tracking tool could result in penalties and damage to your organization's reputation.

So, while Eminem might rap about seizing opportunities in a single moment, when it comes to healthcare data compliance, it's about consistently seizing the responsibility, day in and day out. Our Privacy-First Framework is your guide to doing just that.

Learn how Freshpaint is enabling Privacy-First Marketing for all healthcare organizations: Introducing Freshpaint’s Healthcare Privacy Platform: Unlocking HIPAA-Compliant Performance Marketing

‍