New Bulletin by OCR Warns Online Tracking Technologies May Violate HIPAA

The Office of Civil Rights (OCR) at the Department of Health and Human Services Issue a Bulletin to Warn HIPAA-Protected Entities that Online Tracking Technologies May be Sharing ePHI

We’ve been following the uptick in class-action lawsuits in the healthcare sector since we first wrote about it in August. The lawsuits claim that the Meta pixel was collecting and sharing protected PHI from hospital websites with Facebook without patient consent, which is a violation of the Health Insurance Portability and Accountability Act (HIPAA). 

On December 1, 2022 the Office for Civil Rights at the Department of Health and Human Services officially issued a bulletin essentially substantiating the lawsuit claims and warning that “some regulated entities (under HIPAA) regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rule.”  

The bulletin mentions that health plans, providers, and other HIPAA-regulated entities need to evaluate whether online tracking technologies like Google Analytics and the Meta Pixel are sharing sensitive ePHI off of their websites and with the technology vendors.

In October, our team scanned more than 5,000 healthcare websites and found that the issue of unauthorized sharing of PHI goes beyond just Facebook. Of the websites scanned, 13% had a LinkedIn pixel, 8% had a Twitter pixel, 5% had a tik tok pixel and 3% had a SnapChat pixel. These all function similarly to the Meta pixel. HIPAA-protected healthcare entities should also review their sites for these trackers.

You can read the OCR bulletin here, which goes into further detail about the types of trackers and how to protect your organization and remain compliant with HIPAA.