Can web beacons be used in a HIPAA compliant way?

Web beacons can be HIPAA compliant; however, they bring a unique set of challenges to maintaining HIPAA compliance in healthcare settings. It's necessary to note that 25 percent of all breaches involve web applications, primarily due to stolen credentials and exposed vulnerabilities. This statistic reminds us of the risks associated with deploying web beacons. While these tools are invaluable for deepening our understanding of user engagement and delivering personalized content, their use in healthcare websites and apps demands a careful approach.

What are web beacons?

In a study published in Patterns (NY) on the topic of Facebooks health advertising, web beacons are defined as,  “...are tiny graphics with a unique identifier, similar in function to cookies. Web beacons are embedded invisibly on web pages and do not store information on your device like cookies.”. Commonly embedded invisibly on web pages, web beacons, also known as clear GIFs or pixel tags, send information about user behavior back to the server. 

These tiny graphics are necessary for digital medicine companies to understand how users engage with their services, facilitating personalized advertising and content delivery. The benefits of using web beacons include enhanced user experience through tailored content, improved service efficiency, and the ability to measure the effectiveness of advertising campaigns. However, the study also discusses the risks associated with web beacons, particularly concerning patient privacy and data security. 

Can web beacons be used in a HIPAA compliant way?

When healthcare providers or related entities implement these tracking technologies without clear patient consent, they violate HIPAA. The issue lies in the fact that organizations can rarely assure patients that the data collected will in no capacity be used for purely treatment, payment and healthcare operations.  The concern is that there is a potential for web beacons to collect protected health information (PHI) inadvertently and share it with third parties, such as advertisers or analytics companies, without explicit patient authorization. This unauthorized disclosure of PHI compromises patient privacy. 

Recognizing the risks posed by online tracking technologies such as cookies, web beacons, and pixels, HHS has sought to address the potential for impermissible disclosures of PHI in the form of a guidance material titled Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. The guidance specifically emphasized how online tracking can be HIPAA compliant: 

• Consent: Ensuring that any collection, use, or disclosure of PHI through tracking technologies is done with the explicit consent of the individual, unless it falls under the narrow exceptions allowed by HIPAA for treatment, payment, or healthcare operations.
• Minimum necessary standard: Limiting the information collected through tracking technologies to the minimum necessary to achieve the intended purpose, thereby reducing the risk of unnecessary exposure of PHI.
• Business associate agreements (BAAs): Executing BAAs with third-party vendors that provide tracking technologies, ensuring they agree to the same standards of PHI protection as the covered entity.
• Security measures: Implementing strong security measures to protect PHI from unauthorized access or disclosure as a result of tracking technology use.

The real world issue with online tracking in a healthcare setting

The recent lawsuits against Costco Wholesale Corporation for its use of Facebook Pixel on its pharmacy website vividly illustrate the real-world challenges associated with online tracking in healthcare settings. By embedding this tracking technology, Costco allegedly collected and transmitted sensitive health information, including prescription details and HIV status, to third parties without patient consent. This practice breaches the trust patients place in healthcare providers and potentially violates HIPAA. The incident proves that the concern mentioned above remains prevalent. The unauthorized disclosure of PHI beyond the scope of treatment, payments, or healthcare operations without patient consent is still a major concern that requires hesitation when healthcare organizations consider the use of web beacons or any form of online tracking.  

FAQs

What is a pixel?

A pixel is a tiny dot that makes up part of a digital image on a screen, where multiple pixels together form the complete picture.

Is online tracking HIPAA compliant?

Online tracking can be HIPAA compliant if it adheres to HIPAA regulations.

What is a BAA?

A BAA is a legal contract required under HIPAA that outlines how a business associate will protect PHI in accordance with HIPAA's privacy and security rules.