Protected Health Information Disclosed by Website Technology

Share This Post

Certain website technologies may be at risk of sharing protected health information. The Office of Civil Rights at the U.S. Department of Health and Human Services (HHS) released a bulletin warning that certain website tracking technologies may violate the Health Insurance Portability and Accountability Act (HIPAA).

Tracking technologies include but are not limited to cookies, replay software, and tracking pixels. Third parties may use these technologies to collect data about users, but they can also help websites run more effectively.

How do Trackers Collect Protected Health Information?

Tracking technologies collect data from different types of web pages. User-authenticated web pages require individuals to log in. Patients use these types of web pages to access telehealth services or private information. HHS notes that tracking of protected health information on these websites must comply with HIPAA privacy rules.

However, trackers can also collect protected health information from unauthenticated web pages. These web pages contain general information, such as provider locations and services, but also information about health conditions or symptoms. Trackers can use information like this to identify website visitors and piece together what condition an individual may have. HHS is worried that this kind of data collection may potentially expose the protected health information of users.

How to Keep Protected Health Information Secure

Staying compliant with HIPAA laws is the best way to secure patient information. Entities covered under HIPAA should consider entering into business associate agreements with any third parties using cookies on their websites. A business associate agreement ensures third parties must comply with HIPAA rules.

Additionally, covered entities should consider tracking technologies when conducting risk analyses. They should implement protections to secure patient information after the risk assessment. Covered entities can encrypt data and implement user authentication to protect patient information.

Get Certified

American Medical Compliance (AMC) is a leader in the industry for compliance, billing, and HR solutions. Learn more about ensuring your practice is compliant with HIPAA by taking AMC’s HIPAA Regulations and Cybersecurity Training for Healthcare Personnel course today. Visit for more information.


JD Supra (2022, December 6). HHS Warns HIPAA Covered Entities and Business Associates That Use of Website Cookies, Pixels and Other Tracking Technology May Violate HIPAA Rules. Retrieved from:

More To Explore

Want to Improve your Bottom Line, Patient Satisfaction and Retention?

Reach out and See How We Can Help!

Connect With Us

© 2024American Medical Compliance | All Rights Reserved