Brian Rasquinha, Associate Director, Privacy Analytics, co-authored this On The Subject.
Online tracking technologies, such as pixels, have become a common feature of the modern web and app ecosystem. Pixels and other online tracking technologies may be configured to collect user data about website visits, interactions, referrals, and other online activities, and the resulting datasets offer organizations valuable insights about how users interact with their websites or apps, enabling informed design choices to improve user experience and drive business growth.
However, there is growing awareness of the privacy concerns that can arise with tracking technologies in the healthcare context, where HIPAA-regulated protected health information could be disclosed via these technologies. This is of particular concern when the information is impermissibly disclosed to social media platforms and other advertising or analytics services providers that may not be willing or equipped to sign business associate contracts.
Over the past year, regulators have been increasingly focused on this topic and have released guidance. Most recently, the U.S. Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) published a joint press release warning hospital systems and telehealth providers of the compliance risks associated with online tracking technologies.
The increasing scrutiny of online tracking technologies is driving discussions in the healthcare industry about how to effectively manage privacy concerns without sacrificing access to useful data assets. With a careful, considered approach, healthcare provider organizations can develop pragmatic, compliant solutions.
Getting ahead of the challenge
Privacy concerns with online tracking technologies arise when certain features are present, including:
- the trackers collect and potentially share data elements that are considered individually identifiable under applicable law (e.g., HIPAA);
- the trackers collect and share data with third parties (e.g., social media companies) that may enable the third party to identify the applicable user by linking the shared data with other data that resides in the third party’s broader datasets.
The following are key questions for a healthcare provider organization to consider prior to implementing tracking technologies on their websites and apps:
1. What pixel tracker data is being collected, and who receives it?
The first step is to understand the particulars of your organization’s current or planned implementation of online tracking technologies. This may require coordination between compliance/legal functions and marketing/engineering functions. To accurately assess the impacts and benefits of a pixel tracking technology, you will want to understand:
- What tracking technologies are on (or are being proposed on) your online properties?
- How do these technologies map to particular pages or content?
- What data elements are ‘actually’ being collected?
- What additional data elements may be ‘implied’ (e.g., real time dates for underlying events, such as a telehealth appointment)?
- What data elements may be contained within hidden meta data (e.g., dates or user IDs) that are disclosed along with the specified data elements?
- What data elements are being sent to third parties?
- Is the data being sent to third parties de-identified under applicable law? If not, and if HIPAA applies, has the organization entered into a business associate contract with the third-party recipient? (Note that other regimes with their own de-identification standards may apply.)
- What data elements are critical, or what data elements can be removed or de-identified under applicable law?
- What are the potential regulatory impacts of the answers to the above questions?
Privacy regulators evaluate whether best practices like data minimization or de-identification, where appropriate, are in place. An organization that is restricting data collection to what is the minimum necessary for specific business functions, and that does not impermissibly disclose that information, will have a stronger privacy case with their customers and with regulators.
2. Is my pixel tracker data governed by a regulation?
Despite recent guidance from the HHS Office for Civil Rights (OCR), there is still confusion on what types of data are considered HIPAA protected health information in the online tracking technology context. OCR has provided in guidance some examples of the types of webpages that it believes may result in the disclosure of protected health information via online tracking technologies. However, OCR cannot feasibly consider all potential use cases in its guidance, so organizations are often faced with making their own reasonable determinations of what is or is not protected health information in this context, based on such factors as webpage content, context, and similar factors. In making these determinations, organizations would benefit from consultations with legal counsel who are versed in these topics and data analysts who can help assess whether data is individually identifiable in the context of all other data disclosed or otherwise available to a third party.
3. Is my pixel tracker data attributable to an individual?
Applicable laws may prescribe how data may be rendered de-identified or anonymized. There are a number of considerations involved in evaluating the identifiability of data from a statistical perspective.
Data Elements: Some data elements, such as names, home address, email, and ID numbers, would typically be considered ‘direct’ identifiers that ostensibly disclose the identity of a patient. HIPAA’s Safe Harbor approach to de-identification also explicitly lists IP address as a data element that must be removed to render health information de-identified (although there may be scenarios where an IP address pertains to a shared device, network, or organization). Other elements might be considered ‘quasi’-identifying from a statistical perspective, such as demographic information and particular interactions. In order to demonstrate that the data is not attributable to an individual, organizations will need to show that these identifiers are reduced to what is considered de-identified under the HIPAA Expert Determination method or Safe Harbor method of de-identification and/or under other applicable regulatory regimes.
Data Flows: From a risk perspective, how readily a data element can be used to attempt to re-identify an individual will vary, depending on who is receiving the data and what other data is available to that person. Recipients with richer reference data, with more computational resources, and with more financial resources would have a higher capacity to attempt to re-identify data. You will want to understand what data elements are being shared and what organizations they are being shared with, including whether the receiving organization might further share data in any form.
Data privacy experts can support an analysis of identifiability and potentially document a HIPAA Expert Determination that the information is de-identified or provide guidance on the steps required to achieve that state.
Since OCR provided its bulletin in December 2022, we have seen discussion around pixel trackers intensify rather than taper off. The topics and questions discussed above will be critical as organizations evaluate their existing or proposed implementations of online tracking technologies.