Healthcare

What Constitutes a HIPAA Violation on a Website?

by Bobby Maley Updated:

The Role of PHI in HIPAA Compliance

If you work in healthcare, you understand that HIPAA-compliance is vital. However, in today’s digital age, it has become increasingly difficult to understand what constitutes a HIPAA violation, especially online. You may be inadvertently violating HIPAA if your website collects, stores, displays, or transmits any protected healthcare information (PHI).

What is Protected Healthcare Information (PHI)?

According to the Department of Health and Human Services (HHS), PHI is information, including demographic data, that relates to:

  • An individual’s past, present or future physical or mental health or condition
           combined with
  • Providing health care to the individual
           or combined with
  • The past, present, or future payment for providing health care to the individual

This definition of PHI refers broadly to all activities and interactions involved in healthcare services from submitting a form or scheduling an appointment, to an in-office or telemedicine appointment. 

PHI includes common identifiers such as name, address, birth date, and social security number. Any trackers you may have on your website will track IP addresses. This is important to note, as HHS constitutes IP addresses as PHI*. If your organization is doing any sort of web analytics, digital marketing, or even has forms and videos embedded on your site, you’re probably tracking IP addresses with health care information. Violating HIPAA could put your company at risk for fines, criminal prosecution, and lawsuits.

* Note: On June 20, 2024, U.S. District Court for the Northern District of Texas vacated a portion of the guidance that ruled an individuals IP address along with a visit to an unauthenticated public site violates HIPAA.

PHI identifiers

According to HHS, there are a number of identifiers that need to be removed through de-identification. 

Names

Any full or partial name that can be linked to an individual.

Geographic information

All subdivisions that are smaller than a state, including street addresses, cities, counties, precinct, ZIP code (and their equivalent geocodes). However, you can collect the first three digits of ZIP codes if:

  • The location has a population of more than 20,000 people.
  • The initial three digits of a ZIP code with a population of 20,000 people or fewer is changed to 000.

Dates

Birthdates, admission dates, discharge dates,  death dates, and exact age if the user is over 89. 

Contact information

Telephone numbers, fax numbers, and email addresses.

Vehicle & device identifiers

Any vehicle identifiers, such as VIN numbers and license plate numbers. You must also de-identify medical device IDs and any serial numbers.

Unique personal identifiers

Social security numbers, medical record numbers, health plan beneficiary numbers, and any account numbers.

Web & Internet identifiers

URLs, IP addresses, and URL parameters that can be linked to an individual. 

Biometric data

Fingerprints, voice prints, or any other unique biological identifiers.

Photographs & images

Full-face photographs or any other identifiable images.

Register to get updates from our blog sent to your inbox!

  • This field is for validation purposes and should be left unchanged.

Common types of trackers that can violate HIPAA

Web analytics is a useful tool for any business. It’s important to understand how your customers are using your website to better serve them and their needs. However, healthcare organizations have to be more diligent with what website trackers they are using when collecting this data. The following are common trackers that violate HIPAA.

Web Analytics Platforms

Platforms such as Google Analytics and Adobe Analytics are measurement tools for your website or app. Although these analytic tools are important in obtaining insights about your business, they do not satisfy HIPAA-compliance and do not offer Business Associate Agreements (BAAs), which are required by HIPAA when using a service that isn’t considered a covered entity, such as Google Analytics.

While Google Analytics does not collect and store IP addresses, they do use IP addresses to provide coarse geo-location data. 

Ads Platforms

Google Ads, Meta Ads, Microsoft/Linkedin Ads are some of the most popular ads platforms, and may be valuable tools for your business growth. However, to understand how well your ads are performing and how they contribute to your business’s success, it is important to implement conversion tracking. Common tracking types include Meta Pixel, Google Ads Tag, Microsoft UET Tag, UTM parameters, and first and third-party cookies. 

Embedded Videos

YouTube and Vimeo are two of the largest video hosting websites. Embedding relevant videos on your website is generally a great way for your customers to gather information about your business and products. It’s easy to think that embedding a video wouldn’t violate HIPAA-compliance. However, both YouTube and Vimeo collect data when a user clicks and watches the video. The combination of healthcare information and tracking makes embedded video non-compliant with HIPAA. However there are many options to choose from to help your embedded videos remain compliant including self-hosting. 

Note: Vimeo does offer BAAs with their Enterprise package. YouTube, similar to most other Google products, does not sign BAAs.

Embedded Maps

Embedding live maps on your website offers customers a convenient, quick way to see where your business is located. Google Maps is the most popular product and, just like most Google products, is not HIPAA-compliant. 

Web Forms

Forms are a great way for your customers to contact your organization for any number of reasons. If you have a form on your website, you must make sure that the form is HIPAA-compliant. By default, most forms are not HIPAA-compliant. This is due to the lack of end-to-end encryption, HIPAA-compliant servers, a signed BAA, health-related questions, and tracking the forms with tags, pixels, or cookies. 

URL Parameters

URL parameters can inadvertently transmit PHI to your analytics platform like Google Analytics. Query parameters in URLs add extra data to a web address. These parameters can gather information such as the user’s location. This combined with any health-related information can be enough to violate HIPAA guidelines.  

How to maintain a HIPAA-compliant website

To ensure your healthcare organization remains HIPAA-compliant, it is vital to be aware of how trackers collect and store PHI. If not properly implemented and managed, you run a risk of HIPAA violations and even penalties. 

Many healthcare organizations unknowingly violate HIPAA through the use of web analytics and embedded content on their website. We can help you audit your website for any non-compliance. We offer an all-in-one solution that helps you continue your analytics and marketing efforts without violating HIPAA regulations. Find out how to remain HIPAA-compliant.

Let’s Talk
Posted in Healthcare