Blog

Pixel Tracking: Avoiding HIPAA Violations

Written by Allen Blount, National Cyber & Technology Product Leader | Apr 25, 2023 5:30:00 PM

Capturing customer data is a popular practice, with websites using the information to generate revenue or conduct market research. One method of data capture known as “pixel tracking” involves collecting and tracking user information from web pages and marketing, newsletter, and transactional emails. Already in widespread use, pixel tracking has raised concerns in the healthcare industry due to the potential for indirect exposure of patients’ protected health information (PHI). A violation of privacy can run afoul of HIPAA regulations (Health Insurance Portability and Accountability Act).

How Pixel Tracking Works

Pixel tracking – also known as web beacon tracking or pixel tags – involves embedding a small bit of code into a web page or email that sends a request to a server when a user interacts with the content. This collects information such as the user's IP address, browser type, device details, and behavioral data. Marketers can use the information to analyze user behavior, personalize advertising, or measure an advertising campaign’s effectiveness.

Violating HIPPA

Pixel tracking can result in HIPAA violations as it involves collecting and tracking user data that may include PHI. If healthcare organizations use pixel tracking techniques without sufficient safeguards, they can inadvertently expose patients' PHI, violating HIPPA standards and resulting in hefty fines, damage to the organization's reputation, and loss of patients' trust. Pixel tracking can also open the door to unauthorized third parties obtaining sensitive healthcare data, making patients vulnerable to identity theft and other forms of financial fraud.

The practice has prompted aggressive law firms to file lawsuits in an effort to hold healthcare organizations accountable for potential breaches of privacy. While some healthcare organizations may argue that they have met requirements, the ever-changing nature of HIPAA regulations requires increased vigilance. Hospitals must take proactive measures to ensure the security of patient data and prevent any further violations of privacy.

Staying Ahead of Litigation

Amid growing concerns over privacy violations and data breaches, insurance carriers have started introducing policy exclusions that absolve them of any liability related to pixel or meta-pixel tracking. This move has raised the alarm for healthcare organizations, as they potentially could face expensive litigation costs.

To avoid such scenarios, organizations can implement the following proactive measures to mitigate possible pixel tracking litigation in compliance with the Office of Civil Rights (OCR) and Federal Trade Commission (FTC):

  • Implement HIPAA policies and procedures: These policies should be thoroughly documented and kept up to date to ensure that all employees understand and adhere to the rules governing the handling of PHI.
  • Enable webpage cookie consent banners: Ensure banner clearly explains the types of cookies used, including tracking cookies, and allows users to opt-out for transparency and user control.
  • Conduct risk assessments: This can potentially identify areas of vulnerability and help healthcare organizations develop a comprehensive compliance plan.
  • Keep employees up to date: Regular HIPAA training is crucial for all employees who handle PHI. Employees can better understand their role in safeguarding PHI and ensure compliance with HIPAA rules by staying on top of the latest regulations and guidelines.
  • Have a breach plan in place: Organizations must be prepared to act quickly and effectively to minimize damage and protect patient privacy. Have a well-documented breach response plan in place that outlines specific procedures and protocols for identifying, containing, and mitigating the effects of a breach.

Keeping Informed and in the Loop

Healthcare organizations must communicate with their marketing teams and vendors to verify whether pixel tracking is being used to collect user data. Even if an organization uses third-party software, they are still liable if a patient's PHI is breached. While taking proactive measures can reduce the risk of litigation and breaches, audits conducted by legal teams can provide additional benefits for risks missed or unseen. Regularly meeting with a broker and staying informed of cyber renewals can assist healthcare organizations in their efforts to prevent litigation and protect patient privacy.

Want to learn more?

Find Allen on LinkedIn, here.

Connect with the Risk Strategies Cyber team at cyber@risk-strategies.com.

About the author

Allen Blount leads the Cyber Team at Risk Strategies. He specializes in both cyber insurance and tech E&O (errors and omissions). Prior to this role, he spent 12 years with Zurich North America, gaining extensive experience as a Cyber and Professional Liability Underwriting Manager. Before his insurance career, he practiced law.