How to See if Third-Party Trackers are Sending PHI from Your Website

In a previous blog, we showed how to see which trackers are running on your website. Now, let’s see which of those may be sending PHI. For this blog, we’ll assume you have already created a list of the trackers your website uses – so we recommend you do that first.

Let’s get started.

Requirements 

• Google Chrome [Download Here]
• A Spreadsheet Program

Start with the Spreadsheet You Already Created

The spreadsheet we created in the previous blog contained:

• URL of the page
• Tracker Name
• Tracker Website
• Whether you have a business associate agreement with the tracker
• Whether the tracker may send PHI
• Additional Details

It looked like this:

Consolidate Requests with the Trackers

Each tracker you identified on the spreadsheet from your website probably sends multiple requests. It’s time to find those.

Follow these steps:

1. Open Google Chrome
2. Navigate to your website’s homepage
3. Right-click in the middle of the page.
4. In the menu that appears, select “inspect“.
   
5. A new window will appear. In the new window, click the “Network” tab.
6. Refresh your web browser.
7. A list will appear on the left. This list contains all the network requests your website is making.

   There are two primary request methods: GET and POST.

   As the name implies, GET methods are requests your website makes from another website. As a result, they’re not our primary concern because they shouldn’t be sending any data.

   However, POST requests can be concerning because they send data to third-party trackers.

8. Find POST requests by typing “​​method:POST” in the search bar.

   

9. Select the list item. A sidebar will appear.
10. In the sidebar, note the “Headers” and “Payload” tabs.
11. In the headers tab, correspond the request URL with the Tracker URLs from your spreadsheet. If you can’t find a match, research the request URL to see what tracker it corresponds to.
12. Click the Payload tab. This shows what data the request is sending to a third-party tracker. You are looking for two primary types of data: user identifiers and PHI. PHI is commonly located in page URLs or titles.

    

13. If you can find a user identifier and any PHI, mark “Sends PHI?” with “Yes” in the spreadsheet.
14. Repeat steps 9-13 for each POST item.

What’s Next?

Did you discover any potential pairings of a user identifier and PHI? In that case, it’s important to take immediate action to avoid non-compliance with the OCR ruling….and we’d love to help out.

Penrod’s HIPAA-compliant web tracking solution ensures your website doesn’t disclose protected data to third-party trackers.