We have seen tracking technologies addressed by HHS in the past. (Find HHS’ article on the topic here) However, the topic is getting more attention now that Cyber Insurance providers are beginning to ask questions surrounding these tools. HHS explains that tracking technologies are being used to assess website and app activity. These technologies are collecting information from anyone that interacts with the website or app. The information can be collected by “cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.” This is an issue for covered entities if these trackers are collecting data that includes ePHI. The tracking technology could be collecting information like addresses, dates of appointments, medical record numbers or medical device IDs.

Just about every web application has some amount of these tools available and these tools must be added to the software in a way that does not share protected data with the tracking provider.

All that said, the best place to start is getting a handle on how much risk your organization has today. To begin assessing your risk, you will want to take a few steps:

  • Work with your team and business partners to generate a list of all web applications that are possible for a patient to interact with or could house PHI:
    • Marketing websites, bill pay, patient portals, web based medical records systems, etc.
  • Document who wrote, owns, hosts, and manages each application.
  • Check with the relevant parties to determine if any tracking applications are used and what data they access:
    • Ensure appropriate agreements are in place for any of these where PHI may be disclosed as HHS has deemed that the tracking technology de-identifying the material on their end still unauthorized access.
  • Follow internal policies and processes for breach notification if the need arises.
  • Maintain the list of what web applications patients are expected to use, who owns them, and what tracking software is used within them and periodically confirm that data is still accurate.
  • Determine who owns the responsibility for breach notification and collecting authorizations.

(HHS does not consider web-based notification to be acceptable (e.g., pop ups with “this web site uses cookies”), while cyber insurance companies may have different requirements.)