8 Common Web Trackers That Could Jeopardize Your Healthcare Website’s HIPAA Compliance
Imagine you’re sitting in a room covered in microphones and cameras that are recording your every move. Every action you perform, every word you say, every breath you take, every move you make…wait, this is the intro to an article about web trackers for HIPAA compliance, not the classic song by The Police.
Back to our room with all of those recording devices. Does that sound like anything else to you?
It should. That is the internet – every action you take is tracked and collected by a “recording device” known as a web tracker.
Those web trackers are mostly innocuous. They help different technologies work better. They help advertising tools be more effective. They help marketers understand performance. They help improve the experiences of website visitors.
There are dozens of these web trackers on any given website. But, more often than not, most organizations don’t know what web trackers are on their websites. For healthcare websites, that can be problematic because those web trackers can directly lead to HIPAA violations. That’s why it’s a good idea to audit your website for those trackers, but they’re rarely labeled, so you might be confused about what each tracker is when you come across one.
Read more: How to Detect Web Tracking Risks on Your Website.
That's why we put together a list of the eight most common web trackers; grouped by the company that developed each one. This list will help you understand these trackers when you encounter them during your HIPAA compliance audits.
Google Analytics uses a number of different trackers so that the tool can operate properly.
These are the most common that you’ll find in the backend of your website:
- www.google.com
- www.google-analytics.com
- analytics.google.com
All three trackers above are related to different functionality for Google Analytics. You might see one, two, or all three on your website. But the number you see doesn’t matter because all three could lead to HIPAA violations.
Any tracker owned by Google should raise a red flag for you when it comes to HIPAA compliance. Google built an entire business around collecting data, and most of their trackers are not HIPAA compliant.
We’ve previously written about the risks of Google Analytics from a HIPAA-compliance perspective. The risk exists because the Google Analytics trackers collect personal identifiers and health information about your visitors by default. Combined, those are the components of Protected Health Information (PHI), meaning if you’re using Google Analytics, you’re sharing PHI about your website visitors.
And because of that, the HHS and the FTC have specifically called out Google Analytics as a non-compliant tool for HIPAA.
Is this web tracker a risk to HIPAA compliance?
Yes. As mentioned above, the Google Analytics tracker is one of the web trackers the HHS has called out specifically.
What you can do instead
Google doesn’t sign BAAs for Analytics. So, if you see any of those trackers, jump to Step 4 in our Privacy-First Framework to determine how to govern the flow of data to Google Analytics.
Or find an alternative tool that will sign a BAA.
Meet the trackers:
- googleads.g.doubleclick.net
- static.doubleclick.net
Those are the most common Google Ads trackers you’ll see on your website, but there are others. Any tracker with a “doubleclick” root domain is related to Google Ads.
The value of Google Ads trackers is that they allow Google to report about specific conversion actions specific users take on your website.
Notice how we used the word “specific” two times in that sentence? That specificity is what could lead to a HIPAA violation.
As a user of Google Ads, you won’t have access to that specificity, but Google still does. That’s the problem.
Is this web tracker a risk to HIPAA compliance?
Yes. This one is clear. Google Ads trackers are a risk to HIPAA compliance. Google was one of the data destinations named in a lawsuit over “impermissible disclosures of patient data.”
What you can do instead
Google doesn’t sign BAAs for their Ads platform, and there are no good alternatives to Google Ads. Where else are you going to reach that wide of an audience?
Sure, you could turn off these trackers, but then you won’t have any idea about the performance of your advertising.
So, you’ll actually want to keep using these trackers, BUT ← that’s a really big ‘but’ because this next part is crucial: you absolutely have to use a tool (like Freshpaint) to govern the flow of sensitive data to Google Ads.
Meet the trackers:
- connect.facebook.net
- www.facebook.com
Meta, the company that owns Facebook, uses a tracker called a Pixel.
The Meta Pixel is a snippet of code that allows Meta to track conversions that take place across Facebook, Instagram, and its other assets. It also allows you to build custom audiences based on actions that take place on your website, and remarket to specific website visitors.
Meta/Facebook’s ad trackers have been called out by the HHS as risky from a HIPAA-compliance standpoint. We have an in-depth explanation here, but here’s the high level:
Meta tracks users and the actions they take on your website. Meta does this because it helps their ad tech put your ads in front of similar users who are also likely to take actions on your website. That improves your advertising performance.
Similar to Google, tracking users and their actions is what leads to HIPAA violations.
Is this web tracker a risk to HIPAA compliance?
Yes. This is the clearest web tracker that puts you at risk of HIPAA violations. Over the past year, Meta has caused multiple healthcare organizations to be fined or sued over the improper disclosure of patient data.
What you can do instead
Meta doesn’t sign BAAs for their ads platform, and there are no good alternatives to their ads platform. Meta’s ads platform gives you the ability to access a huge audience across all of their digital properties – Facebook, Instagram, their display network, etc. That audience is unmatched by almost all other ad platforms.
You could turn off these trackers, but then you won’t have any idea about the performance of your advertising.
So, you’ll probably want to keep using these trackers, BUT you absolutely must use a tool (like Freshpaint) to govern the flow of sensitive data to Meta Ads.
Meet the trackers:
- px.ads.linkedin.com
- www.linkedin.com
- snap.licdn.com
- cdn.linkedin.oribi.io
LinkedIn calls its tracker the “Insight Tag.” The Insight Tag gives LinkedIn the ability to follow LinkedIn users on your website. It can see the pages they visit and what actions they take.
According to Freshpaint’s Founder, Michael Malis, these trackers are most commonly intended to be placed on a careers page. When implemented properly and only placed on careers pages that don’t have health information, there’s not much risk from a HIPAA-compliance standpoint.
The problem is reality. Incorrect implementation of the Insight Tag is common. It usually ends up implemented on the entire website, rather than just the careers page. That gives LinkedIn the ability to track users on pages that contain health information.
It doesn’t matter what your intended installation of this tracker is. What matters is where it was actually installed.
LinkedIn’s ad trackers work the same way as Facebook’s ad trackers. They monitor the specific actions specific users take on your website and try to find more of those users to improve your advertising performance.
Is this web tracker a risk to HIPAA compliance?
Yes. LinkedIn’s web trackers work in virtually the same way as Facebook’s. So, it’s completely reasonable to assume that LinkedIn’s web trackers put you at the same risk as Facebook’s trackers.
What you can do instead
LinkedIn doesn’t sign BAAs for their ads platform, and there are no good alternatives to LinkedIn Ads if you’re trying to reach a professional audience.
It’s the same situation as Facebook’s Pixel and Google’s tracker. You could turn off these trackers, but then you won’t have any idea about the performance of your advertising.
So, you’ll probably want to keep using these trackers, BUT you absolutely must use a tool (like Freshpaint) to govern the flow of sensitive data to LinkedIn.
Meet the trackers:
- match.adsrvr.org
- insight.adsrvr.org
- js.adsrvr.org
TheTradeDesk is a popular ad platform that allows advertisers to reach consumers on streaming services, podcasts, digital out-of-home, and other digital platforms.
Their tracker, which they call the ‘Universal Pixel,’ collects a lot of data about the actions users take on your website. It collects things like user demographics, browsing behavior, and conversion events.
User demographic collection is a personal identifier. Browsing behavior could lead to health information. And conversion events could be both. Sharing all of that with TheTradeDesk means you’re sending PHI to that tool.
Seems standard and straightforward so far, right? That’s a pretty obvious HIPAA compliance risk. Here’s where it gets really interesting…
TheTradeDesk will randomly load other ad pixels. This gives other ad platforms the ability to retarget specific website visitors too. It’s a cool feature if you’re not a healthcare organization. But, if you’re in healthcare and using TheTradeDesk, it leads to more opportunities to inadvertently share PHI with an unauthorized tool.
Is this web tracker a risk to HIPAA compliance?
Yes. Not only is the web tracker itself collecting PHI, but the other web trackers that it loads also collect PHI. That’s essentially double the risk.
What you can do instead
Companies that use TheTradeDesk usually have complex ad strategies built around the platform.
Migrating to a new ad platform is not an easy process for companies in this situation. If you’re using TheTradeDesk, the easiest option is to use a tool to govern the flow of data to the platform. That way you can be sure you’re not inadvertently sharing PHI with TheTradeDesk or any of the other ad pixels it loads.
Meet the trackers:
- www.youtube.com
- i.ytimg.com
- yt3.ggpht.com
YouTube is owned by Google. And, as we mentioned earlier, that should raise your HIPAA compliance red flag.
YouTube videos produced by healthcare organizations often contain health information. That’s half of PHI. When those healthcare organizations embed YouTube videos onto their websites, YouTube then has access to personal identifiers. That’s the other half of PHI.
To put that in simple terms, the combination of a video hosted on YouTube and embedded onto a healthcare website means you’re sharing PHI with Google, which could lead to a HIPAA violation.
Is this web tracker a risk to HIPAA compliance?
Yes. If you’ve embedded YouTube videos onto your website, you’re sharing PHI with Google.
What you can do instead
You could stop using YouTube embedded videos on your website altogether, and find an alternative video hosting platform that will sign a BAA.
But if embedded YouTube videos have been a big part of your digital strategy over the past few years, finding all of the videos on your website, taking them down, and migrating to another platform is a long, arduous process.
The other option would be to use a healthcare data privacy tool to determine how to govern the flow of data to YouTube.
Meet the trackers:
- maps.googleapis.com
- maps.gstatic.com
The name of this one should raise your red flag. First, it’s a Google product. And as we’ve covered earlier in this piece, anything Google owns is collecting more information than it needs. Second, the name “Maps” suggests user location.
And that’s exactly what’s going on here. Embedding Maps onto your website gives Google access to user locations, which is a personal identifier. Health information is only a click away and is shared with Google Maps through a scheduling feature or through health information on a page.
Is this web tracker a risk to HIPAA compliance?
Maybe. This one isn’t as clear as the others. Google Maps collects a lot of data. If you only use this on specific pages that don’t contain health information of any kind, you might be okay. It’s best to consult your legal and compliance team on this.
What you can do instead
You have a few options here:
- Use another mapping tool that will sign a BAA.
- Stop using mapping tools on your website. They might provide a good user experience but there are other ways to give a similar experience.
- Talk to your legal team about the risks they’re willing to take on with Google Maps.
Regardless of which path you choose, you need to make sure that you’re not sharing PHI with Google Maps, or any other mapping tool.
Meet the trackers:
- player.vimeo.com
- f.vimeocdn.com
- i.vimeocdn.com
- fresnel.vimeocdn.com
- vimeo.com
Vimeo is another video hosting platform that allows you to embed videos onto your website. From a HIPAA risk perspective, Vimeo is similar to YouTube. Embedded videos collect user information. That information often contains PHI and is shared with Vimeo.
Is this web tracker a risk to HIPAA compliance?
Yes. Even though Vimeo isn’t owned by Google, its web tracking tech works in the same way as YouTube’s tracker. That means you’re likely sharing PHI with Vimeo when you embed videos onto your website.
What you can do instead
It’s the same situation as YouTube. You could stop using Vimeo-embedded videos on your website altogether and find an alternative video hosting platform that will sign a BAA.
But if embedded Vimeo videos have been a big part of your digital strategy over the past few years, finding all of the videos on your website, taking them down, and migrating to another platform is a long, arduous process.
The other option would be to jump to Step 4 in our Privacy-First Framework to determine how to govern the flow of data to YouTube with a tool like Freshpaint.
But I found trackers that aren’t on this list
This list is only a small sample of the most common web trackers. If you’ve found others and aren’t sure what to do, you should read through our Privacy-First Framework. It will help you determine how to manage those trackers.
If you’re still at a loss, reach out to us. We’ll help you figure out how to manage the flow of data to any of the trackers on your website.
