Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Videos
    4. Are online tracking technologies like pixels HIPAA compliant?

      Videos

    Are online tracking technologies like pixels HIPAA compliant?

    May 16, 2023

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague, Jason Kravitz and Jenny Holmes

    If you’re operating in a HIPAA-regulated industry, cookies, pixels, and other online tracking technologies on your website or app could potentially transmit protected health information to third-party entities.

    Our next guest on A Little Privacy, Please!® is Valerie Montague, a partner in Nixon Peabody’s healthcare practice. She is CIPP/US-certified and represents healthcare providers, digital health companies, life sciences companies, and vendors of healthcare providers on privacy issues, including HIPAA compliance.

    Valerie has generously agreed to speak with us about online tracking technologies in the healthcare space, which can have serious HIPAA implications.

    Let’s jump in.

    What do tracking technologies do? Why is it controversial? 

    Pixels and other online technologies are embedded into websites or mobile apps. They are used to track a user's experience and interaction with the site or the app. As part of that, information is transmitted to these tracking technologies’ tech vendors, such as Meta, and they’re able to use that information to either provide services to the organization that has the website or provide what is called interest-based advertising to the impacted consumer.

    If you go on your Facebook page and say, “Hey, it’s interesting that I’m seeing a Ticketmaster ad when I was searching for concert tickets earlier.” That’s an example of how information gleaned from these tracking technologies is used for interest-based advertising. 

    It’s an issue because the data captured is identifiable for these users. Different levels of identifiable data are used to identify a person and connect them with other aspects of their online lives to come up with these targeted ads. 

    Why are tracking pixels of concern for HIPAA-regulated organizations?

    Healthcare organizations are handling a lot of sensitive information. Patients who go to their websites, who use their portals, who use their apps, are interacting with those organizations and providing them with a lot of data that they might not want out there in the public sphere. If these organizations are HIPAA-regulated, they need to comply with a whole scheme of regulations to protect information.

    For example, take a hospital with an online portal. Suppose individuals are logging in to make appointments and disclosing information regarding their health. If that information moves to a third party, it needs to do so in a way compliant with HIPAA.

    The concern for HIPAA-regulated entities is that the Metas of the world, these tracking technology vendors, often are not business associates to the hospitals or physician practices. They may not be permitted to receive the data as a hospital vendor. The healthcare organizations may not be securing the individual’s authorization to disclose health information to Meta or any other vendor for these purposes.

    Depending on the facts, it may be a little bit grey as to whether this is a permissible use of that data, and if it’s not, healthcare organizations need to analyze whether there’s a potential HIPAA breach involved.

    Are there litigation risks associated with using tracking technologies separate from the regulatory implications?

    Absolutely, and we’re seeing litigation across the country more and more each day.

    In 2022, we did see an $18 million settlement with a hospital in Massachusetts, so it’s a significant concern. It can be a major headache from a time perspective and a financial perspective for organizations inside and outside the healthcare space.

    What should a company do if it is already using these tracking technologies or considering adding them to its website or app?

    A company should first wrap its arms around how they’re using tracking technologies, who they’re working with, what information is being captured, and what information is going over the wall to the tracking technology vendor. If they are not yet implementing these technologies, those are the questions they should consider. 

    The next step is, healthcare organization or not, to understand whether you are being transparent with individuals using your website and app as to the use and disclosure of this information related to the tracking technologies. Look at terms of use and the privacy policy, and ensure that these uses and disclosures are adequately described so that the user and the consumer have insight into what is happening to their data.

    From a HIPAA perspective, analyze whether the tracking technology vendor is your business associate or whether it should be your business associate. If it’s not, perhaps you go the route where you seek authorization, giving you more flexibility, as the patients have told you it’s okay to use their data in the manner described. If they’re not your business associate, if you don’t have authorization, then scrutinize whether you have a potential HIPAA breach. 

    The Office for Civil Rights (OCR) has issued guidance that’s pretty authoritative on this subject. They take a broad view of what’s protected health information in these contexts. We’ve seen a number of large breaches reported, based on these tracking technologies, so far, to OCR, so it’s a topic on its radar, and it’s something OCR is investigating.

    A Little Privacy, Please!

    Practices

    Cybersecurity & PrivacyHealthcare

    Insights And Happenings

    • Alert

      Temporary health care services agencies must register by September 30, 2023

      Sep 19, 2023
    • Alert

      NYS OMIG provides guidance regarding voiding overpayments

      Sep 5, 2023
    • Article

      In its 45th Right of Access Initiative settlement, OCR reminds health plans of HIPAA compliance obligations

      Aug 25, 2023
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved