About Tracking Technology

  • Script or code on websites/mobile apps analyzes a user’s online activity.
  • Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.
  • Regulated entities must ensure their tracking technologies align with HIPAA standards when the data involves PHI.

HIPAA Mandate

  • Require a log in to access the webpage such as a patient or health plan beneficiary portal.
  • May have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal.
  • Do not result in a disclosure of PHI where a user might visit about a hospital’s job postings and visiting hours
  • Deemed a disclosure of PHI when:
    • Identifying information is collected while the user is seeking a second opinion on the treatment of a brain tumor
    • Identifying information is collected when scheduling appointments or using a symptom-checker tool
  • Mobile apps can collect information such as fingerprints, network location, geolocation, device ID, or advertising ID. These are generally considered to be PHI.
  • Patients often use mobile apps to track information such as glucose levels and insulin doses; transmission of this information to a tracking technology vendor is considered a disclosure of PHI.


Online Tracking Assessment

  • Crawl the in-scope websites to identify calls to third-party resources.
  • Review third-party resources to identify those implementing tracking or fingerprinting technologies.
  • Identify the specific third-party resources on each crawled page potentially providing those features.
  • Establish actionable recommendations.
  • Provide a report on websites employing tracking or fingerprinting technologies.
  • Ensure HIPAA Compliance with OCR guidance.