Staying HIPAA-Compliant: How to Detect Web Tracking Risks on Your Website
In July, the FTC and the HHS issued a warning to 130 hospital systems and healthcare providers about the use of online tracking technologies. The warning essentially said, “You might be inadvertently sharing Protected Health Information (PHI) with third-party web tracking tools.”
That put legal and compliance teams on high alert, especially since the letter mentioned Google Analytics and the Meta pixel – technologies most websites use.
Thankfully, there are ways to find out if your website is sharing PHI with third-party trackers. In our Privacy-First Framework, we explained all the steps you can take to avoid HIPAA violations from tracking tech.
The first step of our Privacy-First Framework is focused on uncovering the tracking tech on your website. There are a number of ways to do this, but many of them require using more tools and asking your IT team for help.
But If your IT team doesn’t have time to help or just needs a starting point, this guide will show you how to find every tracking tool on your site.
Conducting an audit of third-party trackers
Finding third-party trackers on your website is easy, even if you don’t have a lot of technical expertise. Just follow the steps below.
1. Set up a spreadsheet
First, create a simple spreadsheet to keep a log of all the trackers you find. Include the following columns on this spreadsheet:
- Page: The page on your website where you found the tracker, such as the homepage.
- Domain: The website associated with the tracker.
- Tool: The name of the tracking tool.
- Notes: Any additional information about what the tracker is for
- Legal: Whether you have a BAA with the company
Now, you’re ready to start the audit.
2. Start with the homepage
Your website’s homepage is the first place to look for trackers. For this purpose, make sure you’re using Google Chrome.
Right-click anywhere on the page and then click on “Inspect”.
This will pull up the backend of your website. This is a publicly available read-only file that is accessible to anyone. Even though this looks intimidating, don’t stress. You can’t do anything “wrong” here. Google Chrome won’t actually let you change anything.
To find the trackers on your website, click on “Sources” in the top menu.
The Sources panel will display a list of all the network requests that are coming from different sources on the website. Any of these network requests could be a third-party tool that is inadvertently receiving PHI, making each request potentially risky from a HIPAA compliance standpoint.
Now, you need to go through each request one by one and understand what they are. As you do this, make sure to record all information in the spreadsheet you created in the previous step.
Since we’re looking for third-party trackers, we can skip any item with your domain name.
Using Freshpaint’s homepage as an example, we’ll skip “www.freshpaint.io”. The first item we want to look into is “ajax.googleapis.com”.
The best way to figure out what the request is is by navigating to the domain of that request. So if you’re looking into “ajax.googleapis.com,” navigate to googleapis.com in your browser and review the information there.
If that doesn’t turn anything up, Googling the request and scanning through the results is your next step. Search results from forums like Reddit, are sometimes the most helpful.
Back to our example, if we Google “What is ajax.googleapis.com?” we see a search result from Google themselves. That result clearly explains the request. If we were doing this as a real audit, we’d make a note of the result in our spreadsheet and then move on to the next item on the list.
At this point, you don’t need to analyze whether the tool is collecting PHI. The goal is to get an inventory of all third-party trackers in one place. (When this is done, you can start analyzing whether you’re disclosing PHI to third-party trackers.)
3. Re-run the audit on pages that contain health information
When you’re done auditing the trackers on your homepage, you need to repeat the process on a sampling of pages and subdomains containing health information. You need to do this because there may be different trackers on other website pages. Be sure to include pages that:
- Help patients find a doctor
- Schedule appointments
- Mention specific medical conditions
Those three types of pages are the riskiest in terms of HIPAA violations because they all contain health information, and web trackers on those pages have access to personal identifiers (like IP addresses). As we’ve covered before, the formula for PHI is personal identifiers + health information = PHI.
For example, a person with multiple sclerosis visits your website to schedule an appointment with a doctor specializing in their condition.
If you have a tracking tool collecting the person’s IP address and scheduling activity, this could be a potential HIPAA violation.
Keep in mind, this isn’t a one-and-done process. You should regularly update this list with any new tracking technologies that come along. You can do this by re-running the audit monthly. Or setting strict guidelines about when the marketing, product, and IT teams can add new trackers and who they need to notify when they do. Ideally you’ll do both.
As Jane Blaney, Associate at the international law firm Foley & Lardner put it, “It’s a good idea to have this [inventory] updated on a regular basis so that when a new initiative comes along, such as a company changing their marketing scheme, then this inventory is already there. And you already know what’s in place.”
You found a third-party tracking risk – now what?
If you’ve discovered any tracking risks on your website, your first response is probably to remove all trackers. But this will only hurt the marketing team’s efforts.
Trackers help marketers collect data to understand the performance of their efforts. Without data, marketers will struggle to target the right people, create great patient experiences, and build successful marketing campaigns.
Instead of shutting down native tracking technologies, you can implement technology like Freshpaint that limits what kind of data third-party trackers ingest. It acts as a filter between your website and third-party tools like Facebook Ads, preventing you from sharing PHI.