HIPAA Rules for Online Tracking Technologies

“…entities are not permitted to use tracking technologies… that would result in impermissible disclosures of PHI to tracking technology vendors”

“…impermissible disclosure of an individual’s PHI not only violates the Privacy Rule but may result in a wide range of additional harms to the individual”

“…for example… identity theft, financial loss, discrimination, stigma, mental anguish… negative consequences to reputation, health, or physical safety”

– Office for Civil Rights [OCR] at the U.S. Department of Health and Human Services [HHS]

Unauthenticated Webpage
Tracker Violation Example

webpages typically public facing & not requiring user authentication

  • contains advertising trackers (e.g, Google Tag Manager & TikTok)
  • collecting first, last, email, phone, & password
  • transferring potentially user data to tracking vendor now or later

HIPAA violation = tracking vendor can obtain PHI on patient appointments

Example “Create An Account” Webpage

User-Authenticated Webpage
Tracker Violation Example

webpages requiring user login and credentials

  • contains advertising trackers (e.g, Google Tag Manager & TikTok)
  • collecting first, last, email, phone, & password
  • transferring potentially user data to tracking vendor now or later

HIPAA violation = tracking vendor can obtain PHI on patient appointments

Example “Create An Account” Webpage

See How Feroot Makes It Doable