Why Are Healthcare Websites Still Playing with Fire? Ditch The Pixels

Why Are Healthcare Websites Still Playing with Fire? Ditch The Pixels

The Hidden Problem with Healthcare Websites


Research by Lokker has found that at least 33% of healthcare websites still have the Facebook Tracking Pixel embedded in their website.


The study found that one-third of healthcare sites analyzed still use the Meta Pixel tracking, despite potential legal penalties, data breaches, and fines associated with HIPAA non-compliance to HIPAA.


While Lokker analyzed larger healthcare websites in the United States, I think this is probably the tip of quite an unsightly iceberg if we include the millions of SME healthcare websites from Doctors though to Mental Health and Psychiatric Services.


The use of Analytics and tracking tools is now an enforcement priority for OCR. The best time to look at this is now.


Healthcare Practitioners need to understand what information is being collected by analytics software and plugins, whether it is covered by HIPAA, and then act based on that analysis.


What does this actually mean for Healthcare Websites?


It means it’s not just the big players that are under scrutiny.


The OCR does not discriminate regarding an Organization’s size. This means that SME healthcare websites are just as liable as large Corporations. And the fines are the same, just that larger corporations will have more of them.


The use of self-built, outdated websites littered with tracking pixels, facebook widgets and social media follow buttons among SME enterprises in the healthcare sector reveals what actually appears to be a concerning disregard for the complexities of data privacy and security. It literally cannot be viewed any other way.


The notion that ignorance is not a defense holds particularly true in this context. The reliance on platforms like Wix or similar website builders often leads to easily identifiable inadequate security measures and non-compliance with HIPAA.


But I’m Fine Because I’ve Got a Tracking Consent Banner or Disclaimer…


Well, no. That’s not going to fly. According to OCR guidance, “the use of a banner on a website advising visitors about the use of tracking technologies does not constitute a valid HIPAA authorization.”


These consent banners often do not function as intended, and technologies such as browser fingerprinting are often excluded from consent tools.


The most common analytics trackers on Healthcare websites are:


  • Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com)
  • Meta (facebook.com, facebook.net)
  • ICDN (icdn.com)
  • Microsoft (linkedin.com)
  • Adobe Analytics (adobe.com)
  • Hotjar (hotjar.com)
  • Crazy Egg (crazyegg.com)
  • Mixpanel (mixpanel.com)
  • Clicky (clicky.com)
  • Piwik/Matomo (matomo.org)
  • Quantcast (quantcast.com)
  • Salesforce Marketing Cloud (salesforce.com)
  • HubSpot (hubspot.com)
  • Heap (heap.io)
  • Chartbeat (chartbeat.com)
  • Optimizely (optimizely.com)
  • Kissmetrics (kissmetricshq.com)
  • VWO (vwo.com)
  • SEMrush (semrush.com)
  • Server Logs


It’s not just HIPAA


In addition to compliance risks related to HIPAA, there is also the risk of Video Privacy Protection Act (VPPA) violations. So websites that have Meta pixel or other social media trackers on pages containing video players puts them at the additional risk of VPPA lawsuits.


Who is actually harvesting data from your healthcare website?


It’s easy to think, “I’m just a regular practice, no one is targeting me, right”


Well, even a regular healthcare practice can be a source of really valuable data for various entities.


Here’s who might be watching your website, harvesting data and then creating massive, amalgamated data rivers:


Data Brokers: These companies collect and aggregate personal information from websites to create detailed profiles of individuals. They then sell this information to third parties.


Big Tech Companies: Giants like Google, Meta (Facebook), and Amazon collect vast amounts of data through their analytics and tracking tools embedded in websites. This data helps them build detailed user profiles for targeted advertising.


Foreign Adversaries: Many seemingly innocuous analytics tools actually originate in China, Russia and Iran. To put it mildly, the information collected can be used in ways that may not align with the privacy expectations of the individuals from which it was sourced!


Advertisers: Many websites use third-party advertising networks to monetize their traffic. These networks track users across different sites to serve targeted ads, effectively creating a trail of user behavior and preferences. So the analytics from your non-compliant healthcare website can be amalgamated with lots of other analytics information with the end user being served up advertising specific to their health concern.


Fines have started and will keep on coming…


The HHS’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that these technologies violate HIPAA unless there is a business associate agreement (BAA) in placewith the provider of the code or authorizations are obtained from patients.


Numerous lawsuits have been filed against healthcare providers over the use of analytics and tracking tools. Novant Health agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties via tracking and analytics tools.


And it’s not just OCR getting involved. The FTC is also piling in and actively enforcing the FTC Act with respect to trackers, with BetterHelp recently having to pay $7.8 million to consumers as refunds for disclosing sensitive health data without consent.


Individual States have also taken action over the use of the Facebook pixel and other website trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.


It’s time to revisit your website and get serious about HIPAA


Getting serious about HIPAA compliance means a thorough audit of your current website and digital practices to identify potential non-compliance. It’s about taking proactive steps to secure patient data, minimize legal risks, and build a stronger, trust-based relationship with patients.


Making your website HIPAA Compliant is not just smart—it’s essential.

HIPAA Digital is a premier provider of HIPAA-compliant hosting and WordPress solutions, trusted by healthcare providers and businesses across the United States to protect their health information from breaches, threats and vulnerabilities.


We manage everything at a reasonable monthly rate, giving you the peace of mind to focus on your patients.

Share it :
Get free tips and resources right in your inbox, along with 10,000+ others