HHS OCR reached a $3 million settlement with Advocate Aurora Health, an Illinois-based healthcare system, for HIPAA violations related to the use of tracking technologies on their patient portal websites and applications. Advocate Aurora used tracking technologies including Meta Pixel and Google Analytics that disclosed protected health information to third-party vendors without patient authorization or business associate agreements.
Advocate Aurora Health — Tracking Pixel HIPAA Settlement ($3M)
What Went Wrong
Advocate Aurora installed third-party tracking code on their patient-facing website and patient portal. This code transmitted PHI — including IP addresses, appointment information, and health conditions — to Meta and Google without business associate agreements. Approximately 3 million patients were affected. HHS OCR found Advocate Aurora failed to conduct a risk analysis covering the tracking technology.
Lessons Learned
Third-party tracking technologies on healthcare websites constitute a disclosure of PHI requiring BAAs. Healthcare organizations must audit all third-party code on websites where patients log in or enter health information. The 2022 HHS OCR Bulletin on tracking technologies explicitly addressed this issue. Many health systems were using similar tracking code.
Source:
Official Enforcement Record ↗