The Issue with Data Tracking Technologies
Pixel technology has been used in some controversial ways recently. A recent medical data breach affected 3 million patients at 26 hospitals in the Chicago area. Third parties such as Meta and Google are getting access to patients’ data. This creates regulatory violations and data privacy suits.
The OCR (Office for Civil Rights) says that regulated entities cannot use tracking technologies that could result in the disclosure of PHI to vendors.
What is Pixel Technology
Most people will accept cookies to clear pop-ups. These files are used by websites to improve browsing by storing usernames and passwords, online shopping carts, and other data. They provide information to marketers so that they can advertise things they think the consumer may want.
Until recently companies identified consumers by ID passed through first or third-party cookies. Now with pixel tracking a company’s first-party data is shared with third-party vendors. Interest-based profiles are created, and target-based campaigns are marketed to users. Companies such as Facebook and Google have a deeper understanding of who you are, and what applies to your life.
This new way of tracking creates many privacy problems. Meta pixel knows your name and matches your id to social media pages. Even if you do not have a strong online presence, your id can be matched to your IP address. There is no real way to opt out either.
Another issue is that pixels are found in places that they are not meant to be such as password-protected patient portals. Privacy issues such as this have caused medical data breaches. For example, Community Health Network, an Indiana-based healthcare system had to notify 1.5 million individuals of a data breach. One-third of the top Hospitals in the US send patient data to third-party media platforms. Data sent can include full names, allergies, and medication details. Patients’ internet searches can also be sent.
On December 1, 2022, the OCR released guidance for proper tracking technologies when being used by covered entities to regulated entities on the proper use of tracking technologies. The OCR stated, “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”
The OCR does not believe that identifying that a website or app is using tracking technologies is enough. Healthcare entities must also have a business associate agreement in place along with tracking technology. When there was no permission given for PHI to be shared, covered entities must notify those whose data was shared with a third-party vendor. The OCR believes that it can be assumed that a breach happened unless it can be proven that it is unlikely that PHI was compromised.
Privacy Class Actions
Recently, the amount of privacy class actions against Meta has increased. Healthcare entities using tracking technologies have also increased. Pixels are collecting sensitive patient information, without the proper disclosures. Vendors such as Facebook claim that sensitive information is filtered out of their data, and not used for marketing. Plaintiffs have cited information that would argue how true that is.
What Businesses are Affected
Although it is very concerning how pixel tracking is affecting medical data, all industries should be mindful of the impacts. Since the beginning of February 2022, 47 class actions have been filed in violation of the Video Privacy Protection Act. States have already enacted more laws on data privacy. Companies that work internationally also have to be mindful of the General Data Protection Regulation in Europe.
Next Steps for All Organizations
Organizations need to determine if their websites are using tracking technologies for marketing. If not, codes relating to tracking need to be removed. Every code will be different to remove, showing each vendor will need different steps to be taken. If tracking is being used for marketing, then the company needs to determine if the benefit outweighs the issues and risks. If it is decided to keep the technology, a thoughtful approach to its use should be taken. Some ways to do this are to know where trackers are used. Also, to develop how to improve the use of training can happen. Running many tests to ensure the appropriate data needed is being collected is important. Lastly, ensuring that the Privacy Policy explains the use of the tracking and makes it simple to opt out. If a HIPAA-covered entity decides to try and keep tracking data, then a business associate agreement is a must.
How We’re Working with Policyholders
A non-invasive approach throughout the entire policy is thought to be the best. Keeping a close eye on the organization’s public-facing web infrastructure, software vulnerabilities, and pixel tracking is important. Hiring a risk and response team to watch the pixel tracking and make recommendations could be useful.
Resources:
- If you want to make sure your practice is HIPAA compliant visit: HIPAA Diagnostic® – $100 Challenge
Source:
- Winchester, Lauren. “Tracking Pixel: Everything You Need To Know.” Corvus, 9 Dec. 2022, www.corvusinsurance.com/blog/tracking-pixel-everything-you-need-to-know. Accessed 16 Feb. 2023.
