The U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA). OCR recently released updated HIPAA guidelines for companies collecting data on how users interact with their websites and/or mobile apps. This marks the first time the agency has opined on the matter since HIPAA was signed into law in 1996.
We examine how the update impacts:
HHS states:
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
HIPAA provides data privacy and security provisions for safeguarding patient health records and medical information.
HIPAA requires and ensures this information is protected from disclosure and misuse. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) expanded HIPAA to cover all business associates with access to health information, which includes marketing data, operations, and call tracking providers.
PHI generally refers to information such as demographic information, medical histories, testing and laboratory results, mental health conditions, insurance information, and other sensitive data that a healthcare provider collects to identify an individual and determine appropriate care.
Tracking technologies are pieces of software code used to gather information about users as they interact with websites or apps.Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts to track and collect information from users. This information is analyzed and used to help improve and refine the customer journey. They can track online behavior such as site conversions, web traffic, and more. While there are many different uses for tracking technologies, in digital marketing they can provide insights for advertisers to improve campaign planning, targeting, and optimization. However, this can pose an issue for data protected by HIPPA.
According to the HHS:
The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).
HHS and OCR highlight the following requirements for healthcare providers to ensure HIPAA-compliance and safeguard PHI when tracking online behavior:
At PulsePoint, we continue to evolve our solutions and technology to comply with changing legislation, privacy concerns, and navigate evolving technology. We take data management, data privacy, and security seriously. While we can’t predict the future, we are committed to helping brands better understand and reach health audiences through a deep understanding of data and technology.
Our privacy policy explains our practices regarding the collection, use, and disclosure of information on our media activation platform.
PulsePoint is a longstanding member of the Network Advertising Initiative(NAI), and adheres to the industry self-regulatory guidelines of the:
(i) NAI Code of Conduct;
(ii) the Digital Advertising Alliance,
(iii) the European Digital Advertising Alliance, and
(iv) the policies of the IAB EU Transparency & Consent Framework.
PulsePoint continues to implement and update our processes and policies as required to comply with legislation and regulations like The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
PulsePoint collects Non-PII through technologies such as “cookies” and “pixel tags” (which are also called clear GIFs, web beacons, or pixels). “Cookies” are small data files that are stored by your web browser on your computer. When you visit a webpage, the cookie sends back Non-PII. “Pixel tags” are small graphic images (usually invisible) that can be embedded in content and ads on a webpage that track usage of our websites and effectiveness of communication. These pixel tags can then be used to recognize PulsePoint’s cookies and to monitor certain user interactions with a website.
Cookies and these other technologies are important and useful because they allow us to recognize your device and remember information about you, such as your preferred language and other general settings. Most of the cookies are stored in your browser, which usually gives you the ability to manage them (though browsers for mobile devices may not offer this possibility).
A user has several choices when it comes to opting out of the collection of information about your web browsing activities through cookies. For additional information, please review our Cookie Policy.
We support transparency of data use to empower an individual’s rights over their information. We do not collect sensitive data and in exchange for any non-sensitive personal information that is collected, we provide relevant information and health resources so consumers benefit directly. Consumers are also able to opt out of data collection at any time.
While PulsePoint’s technologies are built for healthcare, we are committed to self-regulation in addition to adhering to government regulations. To achieve this, we instill best-in-class analytics and quality practices into data acquisition, processing and reporting.
If you would like to learn more about or discuss the implications of placing pixels on your website for your media campaigns, contact us here.