3 Questions Healthcare Provider Organizations Need to Consider when Implementing Pixel Tracking Technologies

3 Questions Healthcare Provider Organizations Need to Consider when Implementing Pixel Tracking Technologies

This article is co-authored by:

  • Brian Rasquinha, Assoc. Director, Solution Architecture, Privacy Analytics
  • Jennifer Geetter, Partner, McDermott Will & Emery LLP
  • Ryan S. Higgins, Partner, McDermott Will & Emery LLP

Online tracking technologies, such as pixels, have become a common feature of the modern web and app ecosystem. Pixels and other online tracking technologies may be configured to collect user data about website visits, interactions, referrals, and other online activities, and the resulting datasets offer organizations valuable insights about how users interact with their websites or apps, enabling informed design choices to improve user experience and drive business growth.

However, there is growing awareness of the privacy concerns that can arise with tracking technologies in the health care context, where HIPAA-regulated protected health information could be disclosed via these technologies. This is of particular concern when the information is impermissibly disclosed to social media platforms and other advertising or analytics services providers that may not be willing or equipped to sign business associate contracts.

Over the past year, regulators have been increasingly focused on this topic and have released guidance. Most recently, the U.S. Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) published a joint press release warning hospital systems and telehealth providers of the compliance risks associated with online tracking technologies.

The increasing scrutiny of online tracking technologies is driving discussions in the healthcare industry about how to effectively manage privacy concerns without sacrificing access to useful data assets. With a careful, considered approach, health care provider organizations can develop pragmatic, compliant solutions.

Getting ahead of the challenge

Privacy concerns with online tracking technologies arise when certain features are present, including:

  • the trackers collect and potentially share data elements that are considered individually identifiable under applicable law (e.g., HIPAA);
  • the trackers collect and potentially share data in a manner that is not disclosed in the organization’s online privacy policy; and/or
  • the trackers collect and share data with third parties (e.g., social media companies) that may enable the third party to identify the applicable user by linking the shared data with other data that resides in the third party’s broader datasets.

The following are key questions for a health care provider organization to consider prior to implementing tracking technologies on their websites and apps:

1. What pixel tracker data is being collected, and who receives it?

The first step is to understand the particulars of your organization’s current or planned implementation of online tracking technologies.  This may require coordination between compliance/legal functions and marketing/engineering functions.  To accurately assess the impacts and benefits of a pixel tracking technology, you will want to understand:

  • What tracking technologies are on (or are being proposed on) your online properties?
  • How do these technologies map to particular pages or content?
  • What data elements are ‘actually’ being collected?
  • What additional data elements may be ‘implied’ (e.g., real time dates for underlying events, such as a telehealth appointment)?
  • What data elements may be contained within hidden meta data (e.g., dates or user IDs) that are disclosed along with the specified data elements?
  • What data elements are being sent to third parties?
  • Is the data being sent to third parties de-identified under applicable law? If not, and if HIPAA applies, has the organization entered into a business associate contract with the third-party recipient?  (Note that other regimes with their own de-identification standards may apply.)
  • What data elements are critical, or what data elements can be removed or de-identified under applicable law?
  • What are the potential regulatory impacts of the answers to the above questions?

Privacy regulators evaluate whether best practices like data minimization or de-identification, where appropriate, are in place.  An organization that is restricting data collection to what is the minimum necessary for specific business functions, and that does not impermissibly disclose that information, will have a stronger privacy case with their customers and with regulators. 

2. Is my pixel tracker data governed by a regulation? 

Despite recent guidance from the HHS Office for Civil Rights (OCR), there is still confusion on what types of data are considered HIPAA protected health information in the online tracking technology context. OCR has provided in guidance some examples of the types of webpages that it believes may result in the disclosure of protected health information via online tracking technologies.  However, OCR cannot feasibly consider all potential use cases in its guidance, so organizations are often faced with making their own reasonable determinations of what is or is not protected health information in this context, based on such factors as webpage content, context, and similar factors. In making these determinations, organizations would benefit from consultations with legal counsel who are versed in these topics and data analysts who can help assess whether data is individually identifiable in the context of all other data disclosed or otherwise available to a third party.

3. Is my pixel tracker data attributable to an individual?

Applicable laws may prescribe how data may be rendered de-identified or anonymized.  There are a number of considerations involved in evaluating the identifiability of data from a statistical perspective.

Data Elements: Some data elements, such as names, home address, email, and ID numbers, would typically be considered ‘direct’ identifiers that ostensibly disclose the identity of a patient. HIPAA’s Safe Harbor approach to de-identification also explicitly lists IP address as a data element that must be removed to render health information de-identified (although there may be scenarios where an IP address pertains to a shared device, network, or organization). Other elements might be considered ‘quasi’-identifying from a statistical perspective, such as demographic information and particular interactions. In order to demonstrate that the data is not attributable to an individual, organizations will need to show that these identifiers are reduced to what is considered de-identified under the HIPAA Expert Determination method or Safe Harbor method of de-identification and/or under other applicable regulatory regimes.

Data Flows: From a risk perspective, how readily a data element can be used to attempt to re-identify an individual will vary, depending on who is receiving the data and what other data is available to that person. Recipients with richer reference data, with more computational resources, and with more financial resources would have a higher capacity to attempt to re-identify data. You will want to understand what data elements are being shared and what organizations they are being shared with, including whether the receiving organization might further share data in any form.

Data privacy experts can support an analysis of identifiability and potentially document a HIPAA Expert Determination that the information is de-identified or provide guidance on the steps required to achieve that state.

Summary

Since OCR provided its bulletin in December 2022, we have seen discussion around pixel trackers intensify rather than taper off. The topics and questions discussed above will be critical as organizations evaluate their existing or proposed implementations of online tracking technologies.

Please reach out to Privacy Analytics or McDermott Will & Emery LLP to discuss further, or if you need any assistance in managing privacy in the implementation of online tracking technologies. 

Contact Privacy Analytics here

Contacts at McDermott Will & Emery LLP:

More Articles

Anonymization at Scale: From Dataset to Pipeline

Read more >

Differential Privacy and Risk Metrics

Read more >

Managing Risks Associated with Linking De-identified Datasets

Read more >

Managing Re-identification Risk when Linking Multiple Datasets

Read more >

IQVIA’s Privacy Analytics Ranked amongst the Top 3 Data Masking Providers Worldwide for Second Year Running

Read more >

Will ChatGPT Put Data Sharing at Risk?

Read more >

All Resources

Archiving / Destroying

Are you unleashing the full value of data you retain?

Your Challenges

Do you need help...

  • Unleashing the full value of retained data so they can be put to work safely and responsibly in line with privacy regulation?
  • Defining and implementing effective archival and disposal processes for personal data?

OUR SOLUTION

Value Retention

  • Retain the business value in your data through anonymization.
  • Ensure compliance in your retention & destruction strategy.
  • Maximize the reuse of information by removing what is personal.

Client Success

Client: Comcast

Situation: California’s Consumer Privacy Act inspired Comcast to evolve the way in which they protect the privacy of customers who consent to share personal information with them.

Read the full story >

Evaluating

Are you achieving intended outcomes from data?

Your Challenge

Do you need help...

  • Optimizing the use / analysis of data to achieve your organization’s intended outcomes with measured success?

OUR SOLUTION

Unbiased Results

  • Reduce / minimize risk of bias in your data for machine learning.
  • Ensure transparency, fairness, and AI ethics / compliance.
  • Ensure data ethics & compliance in your data models and results.

Client Success

Client: Integrate.ai

Situation: Integrate.ai’s AI-powered tech helps clients improve their online experience by sharing signals about website visitor intent. They wanted to ensure privacy remained fully protected within the machine learning / AI context that produces these signals.

Read the full story >

Accessing

Do the right people have the right data?

Your Challenges

Do you need help...

  • Ensuring the right people have access to the right data at the right times?

OUR SOLUTION

Usable and Reusable Data

  • Enable internal access and / or external sharing of data for primary and / or secondary uses.
  • Ensure data are useful and reusable in alignment with FAIR principles.
  • Ensure data have the right level of privacy protection for the use.

Client Success

Client: Novartis

Situation: Novartis’ digital transformation in drug R&D drives their need to maximize value from vast stores of clinical study data for critical internal research enabled by their data42 platform.

 

See the full story >

Maintaining

Are you empowering people to safely leverage trusted data?

Your Challenges

Do you need help...

  • Maintaining / processing data securely and efficiently to promote data enablement with auditable proof of compliance?

OUR SOLUTION

Security / compliance efficiency

  • Creating synthetic versions of data to be used for innovation / AIML.
  • Applying data minimization principles to reduce your risk exposure.
  • Transforming your data for secondary uses and access.

CLIENT SUCCESS

Client: ASCO’s CancerLinQ

Situation: CancerLinQ™, a subsidiary of American Society of Clinical Oncology, is a rapid learning healthcare system that helps oncologists aggregate and analyze data on cancer patients to improve care. To achieve this goal, they must de-identify patient data provided by subscribing practices across the U.S.

 

Visit ASCOPubs.org to read the full story >

Acquiring / Collecting

Are you acquiring the right data? Do you have appropriate consent?

Your Challenge

Do you need help...

  • Ensuring the acquisition / collection of the right data under the appropriate consent / contracts to maintain corporate integrity?

OUR SOLUTIONS

Consent / Contracting strategy

  • Developing a consent / contractual framework for collecting / sourcing.
  • Creating a comms strategy for internal / external stakeholders.
  • Ingesting and transforming data safely to earn trust.

Client Success

Client: IQVIA

Situation: Needed to ensure the primary market research process was fully compliant with internal policies and regulations such as GDPR. 

 

Read the full story >

Planning

Are You Effectively Planning for Success?

Your Challenges

Do you need help...

  • Defining a clear data strategy to achieve desired outcomes?
  • Getting it right at the start to avoid costly privacy missteps later?

OUR SOLUTION

Build privacy in by design

  • Building privacy into your data plan / platform / pipeline upfront.
  • Establishing a trusted data strategy (ethics, compliance, privacy).

Client Success

Client: Nuance

Situation: Needed to enable AI-driven product innovation with a defensible governance program for the safe and responsible use
of voice-to-text data under Shrems II.

 

Visit Nuance.com to read the full story >

Join the next 5 Safes Data Privacy webinar

This course runs on the 2nd Wednesday of every month, at 11 a.m. ET (45 mins). Click the button to register and select the date that works best for you.

Register Now