Health centers should exercise increasing caution when using website tracking technologies, such as browser fingerprints, cookies, and web beacons, particularly in light of recent enforcement activity.

In a recent settlement, LCMC Health Holdings and Louisiana Children’s Medical Center agreed to resolve allegations that the organization implemented tracking codes on its website and patient portal that transmitted patient information to third parties, including Facebook and Google, without patient knowledge or consent. According to the settlement, LCMC Health allegedly deployed Meta Pixel and similar tools that tracked, recorded, and disclosed protected health information to these platforms.

LCMC Health is not the first or only provider to utilize tracking technologies on their website and patient portal. The Office for Civil Rights (OCR) previously issued guidance addressing the growing use of tracking technologies in the health care sector, cautioning organizations about potential HIPAA risks. Although a court later vacated portions of that guidance, the core compliance considerations remain highly relevant.

Under the current regulatory landscape, health care organizations may use tracking technologies on publicly accessible portions of their websites that do not require user login (“non-authenticated pages”) without violating HIPAA rules. However, stricter requirements apply in authenticated environments.

However, if covered entities use tracking technologies on website pages that require login access, such as patient portals or other secure applications (“authenticated pages or applications”), the vendor supporting those tools must enter into a HIPAA-compliant business associate agreement (BAA). If there is no BAA, organizations must obtain valid HIPAA authorization from individuals before collecting or disclosing their information through such technologies.

Key Takeaway

Health centers should closely monitor ongoing regulatory developments and enforcement trends related to website tracking tools.  If your health center currently uses tracking code technology, such as cookies, browser fingerprints, or web beacons, it is important to review your website to ensure that authenticated pages are not equipped with such technologies unless a HIPAA-compliant business associate agreement is in place. Failure to do so may result in a HIPAA violation.

For questions about your health center’s HIPAA obligations related to website tracking technologies, please contact Adam Falcone or Natalie Lesnick.