HHS bulletin clarifies when pixel tracker use may violate HIPAA

The Biden administration has issued a bulletin warning that pixel trackers may come up against federal privacy law.

Healthcare organizations regulated under the Health Insurance Portability and Accountability Act (HIPAA) may use third-party tracking tools, such as Google Analytics or Meta Pixel, to perform analysis on data key to operations. What they can't do, however, is use these tools in a way that may expose patients' protected health information to these vendors, according to the bulletin from the Department of Health and Human Services' Office for Civil Rights (OCR).

For example, a healthcare organization cannot allow a third-party entity to access protected data for marketing purposes without HIPAA-compliant approval from patients, OCR said.

Facebook parent company Meta's Pixel has been the source of controversy in the industry in recent months as multiple health systems revealed the tool led patient data to be shared with multiple third-party companies. Advocate Aurora Health System, for example, revealed that sensitive health data on 3 million patients may have been compromised and shared with vendors.

The tech giant's Pixel tool was found on the websites of about a third of the nation's largest hospitals, according to an investigation from The Markup.

In the bulletin, OCR warned providers that using pixel-tracking tools in patient portals could constitute a HIPAA violation. Entites covered by HIPAA can't use these tools if they'll be used to transmit patient data without their knowledge, and they're required to enter into business associate agreements with the vendors of these technologies to ensure HIPAA compliance.

OCR said this extends to protected health information collected through mobile apps as well.

“Providers, health plans and HIPAA-regulated entities including technology platforms must follow the law.  This means considering the risks to patients’ health information when using tracking technologies,” said OCR Director Melanie Fontes Rainer in a press release. “Our Bulletin answers questions for those using tracking technologies, importantly how to protect the privacy and security of the health information they hold.”