Can cookies be used in a HIPAA compliant manner?

Chocolate chip cookie resting on a keyboard

Cookies are everywhere. Online, in every connected device we use, in the kitchen. But in all honesty, most people don’t know what an online cookie is beyond something connected to a web browser. Given the amount of sensitive information out there, this shouldn’t be the case, especially for healthcare organizations.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant and protect patients and their protected health information (PHI).

And yes, this does mean understanding and properly using these tiny morsels when marketing. Or not using them at all.

RELATED: HIPAA and marketing: What you need to know to build a modern healthcare marketing strategy

So, what are cookies, and can healthcare organizations use them in a HIPAA compliant manner?

Cookies—not just for eating

First coined in the 1990s as ‘magic cookies’ by Lou Montulli, online cookies store transaction states on each user’s computer. Most users did not (and still don’t) understand or know anything about these bits of information. When prompted, users tended to accept cookies by default and not think about them again.

SEE ALSO: Why every website wants you to accept its cookies

Rather quickly, online sellers saw potential and the use of these magic bits grew. Nowadays, cookies are everywhere and do various things. Generally, cookies are small pieces of data (usually text files) downloaded onto a computer or device. Websites and apps may retrieve these cookies each time a user visits. This is so that they can recognize you, remember your preferences, and provide a better online experience.

Think of cookies as utilitarian chunks of facts created to improve website usability. But this is not their only use today. By the 2000s, cookies became instrumental advertising tools and unfortunately, cybersecurity annoyances. In some instances, websites and corporations collect and then sell information, all while protection levels remain inadequate.

The four types of cookies and what to do with them

IT also label online cookies as HTTP, web, Internet, or browser cookies. When a person visits a website or an app, a cookie may record:

  1. Data entered into a form
  2. Log-in information
  3. Shopping cart contents
  4. Search histories

In other words, the type of cookie depends on what needs it serves. First-party cookies are placed by the website a person is visiting. In fact, some websites can’t function without them or other similar tracking technologies. They can help set preferences for that specific website and are not shared.

Session cookies exist only in temporary memory while a user navigates a website. Authentication cookies validate that a user is logged in and with what account. Both keep users from having to authenticate themselves each time they visit a page that contains sensitive information, like a patient portal.

SEE ALSO: Why email is better than patient portals

Third-party cookies are placed by a domain other than the website the person is visiting. They are often associated with marketing and advertising activities. Think of advertising banners on a website. You are seeing specific banners because of clicks or site visits that tracked you.

Third-party cookies, advertising, and marketing

Most cookies you hear about are third-party cookies. They embed JavaScript from one website into another and remember information between browsing sessions not normally saved in the HTTP environment.


Websites use third-party cookies to track, cross-site track, retarget, and serve ads. Tracking cookies are long-term records of browsing histories. Persistent cookies expire at a specific date or after a specific length of time. Third-party cookies are a gold mine for advertisers looking into behavioral targeting or retargeting.

Think about all the ads you see on Facebook, Instagram, or YouTube. Cookies from another website followed you. In other words, your ad preferences on whatever social media site you are visiting were curated specifically for you.

RELATED: Social media & HIPAA compliance: The ultimate guide

The idea is to engage with potential customers that have somehow come across your brand and need a reminder. But how does it work within industries tasked with keeping private information private, like healthcare?

Cookies and HIPAA

The U.S. Health & Human Services (HHS) created HIPAA to improve healthcare standards and combat PHI fraud and abuse. Title II, which includes the policies and procedures for safeguarding PHI also contains marketing information. The HIPAA Privacy Rule (2003) defines marketing as making

a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

The rule gives individuals control over whether or how organizations use and disclose their PHI. This means healthcare providers need patient authorization before sharing any PHI, including a name.

This doesn’t mean that HIPAA discourages the use of new technology. In fact, the HIPAA HITECH Act (2009) promotes its adoption and meaningful use in healthcare. Really, it just stipulates the importance of security.

For example, the Omnibus Rule (2013) requires all healthcare websites, old and new, to be appropriately designed. There are various ways to make this happen and much information is out there. But when it comes to cookies, it means disclosing their use and asking for authorization. It also means keeping them encrypted and always secured.

This, however, doesn’t change the fact that cookies contain PHI and are HIPAA compliant risks.

So, are cookies HIPAA compliant?

The short answer to this question is no. Cookies are not HIPAA compliant. There are too many possible breach scenarios that could happen.

Three ways hackers exploit cookies

  1. Cross-site scripting
  2. Session hijacking
  3. DNS poisoning

Hackers can disguise viruses and malware and use them to eavesdrop on a computer network. Don’t forget, sharing may also be accidental. Third-party cookies are hard to keep track of and data may become lost in the mix or forgotten. But even an accident is a HIPAA violation.

Laws nowadays, beyond HIPAA, require cookie consent for every visitor that clicks on a website. Moreover, there are ways to block hackers from reaching cookies, such as encryption, software blockers, or VPNs (virtual private networks).

Thankfully it looks like cookie technology is not here to stay. Why would any healthcare provider want to utilize such an easy-to-breach technology? Is there another solution out there for healthcare organizations?

Paubox Marketing, a HIPAA compliant solution

There are many ways that covered entities can market to patients or potential patients. But one of the best methods today is healthcare email marketing using HIPAA compliant emailPaubox Marketing allows recipients to always view marketing emails like regular emails but with strong encryption and email security.

No extra steps for the sender or the receiver and no worry about leaked PHI. And no worries about cookies getting away from you. Instead, healthcare providers can focus on what they need to. Write effective healthcare email newsletters, share social media platforms within an email, and build relationships.

Using HIPAA compliant email marketing creates personalized marketing campaigns while maintaining PHI security. The most important thing to remember is strong patient care, which means not putting patients or their PHI into unhealthy situations.


Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox secures 70 million HIPAA compliant emails every month.

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader