green-circle-full

Tracking Technologies: Healthcare Challenges and Concerns

By: Valentino Papa, CPCU, ARM, AINS

Hidden Privacy Concerns

Healthcare organizations operate in one of the most highly regulated environments. With evolving compliance requirements and a dynamic threat landscape, providers are constantly challenged by new and emerging cyber and privacy related risks. Over the past year, some of the most pressing concerns have stemmed from the usage of advertising technologies, such a pixels. Pixels are snippets of code embedded in websites for marketing purposes. The data is valuable for marketing departments and can assist healthcare providers with making more informed decisions on how they access patients and provide care. However, for the healthcare industry, these carry a significant and unseen privacy risk.

How Are Tracking Technologies Impacting Healthcare?

In December 2022, The Department of Health and Human Services’ Office of Civil Rights (OCR), issued a bulletin noting that covered entities cannot use online tracking technologies in ways that may reveal ePHI to tracking technology vendors or otherwise violate HIPAA regulations. Since the bulletin was released, providers using pixels and other advertising tools have faced increased regulatory scrutiny and potential lawsuits. Many of these lawsuits have been brought forth as class actions, posing significant financial penalties and reputational damage for healthcare organizations.

Healthcare providers need to evaluate the advertising benefits obtained from using web tracking tools against the inherent privacy risk if they are not in compliance with the OCR’s guidelines. Organizations should take the following measures to proactively mitigate risk:

  • Stay up to date on HIPAA policies and procedures and work only with HIPAA compliant tracking vendors.
  • Review your online tracking practices and conduct regular risk assessments to identify potential exposures.
  • Ensure individual consent or authorization before using tracking technologies to store their information.
  • Always apply the minimum necessary rule for PHI on marketing materials and websites.
  • Educate all staff on HIPAA regulations and tracking best practices.
  • Implement a data breach action plan to minimize damage if a breach does occur.

While litigation issues surrounding pixel tracking are complex and evolving, providers may see some positive headwinds. This past June, a US District Court Judge ruled in favor of various parties that the bulletins regarding web tracking technologies were unlawful. It is early to determine if this will impact the litigation landscape, however, multiple healthcare associations are in support of the rule, and additional support is expected.

How RCM&D Can Help

When addressing coverage concerns for healthcare clients, it is essential that both cyber and privacy risks are carefully assessed. Cyber policies can provide coverage for wrongful or unlawful collection of data in violation of privacy laws, but policy language varies by insurer. Understanding potential exclusions is crucial to avoid any coverage gaps. RCM&D’s cyber practice specializes in placing coverage for healthcare entities with complex risk profiles. Our team helps identify, mitigate and manage risks to protect your organization.

Reach Out to an Advisor

Contact an RCM&D advisor to discuss your organization’s cyber insurance needs.