Penrod Blog

How to See if Third-Party Trackers are Sending PHI from Your Website

Written by Matt Fiel

After the OCR ruling, marketing and legal teams have been trying to balance risk and the use of website trackers. After the first ruling and some updated guidance, the OCR’s position is clear: regulated entities cannot send PHI to third-party trackers who won’t sign a business associate agreement.

In a previous blog, we showed how to see which trackers are running on your website. Now, let’s see which of those may be sending PHI. For this blog, we’ll assume you have already created a list of the trackers your website uses – so we recommend you do that first.

Let’s get started.

Requirements 

Start with the Spreadsheet You Already Created

The spreadsheet we created in the previous blog contained:

  • URL of the page
  • Tracker Name
  • Tracker Website
  • Whether you have a business associate agreement with the tracker
  • Whether the tracker may send PHI
  • Additional Details

It looked like this:

Spreadsheet of Third-Party Web Trackers

Consolidate Requests with the Trackers

Each tracker you identified on the spreadsheet from your website probably sends multiple requests. It’s time to find those.

Follow these steps:

  1. Open Google Chrome
  2. Navigate to your website’s homepage
  3. Right-click in the middle of the page.
  4. In the menu that appears, select “inspect“.
    Inspect in Chrome Developer Tools
  5. A new window will appear. In the new window, click the “Network” tab.
  6. Refresh your web browser.
  7. A list will appear on the left. This list contains all the network requests your website is making.

    There are two primary request methods: GET and POST.

    As the name implies, GET methods are requests your website makes from another website. As a result, they’re not our primary concern because they shouldn’t be sending any data.

    However, POST requests can be concerning because they send data to third-party trackers.

  8. Find POST requests by typing “​​method:POST” in the search bar.

    Network Requests Tab in Developer Tools

  9. Select the list item. A sidebar will appear.
  10. In the sidebar, note the “Headers” and “Payload” tabs.
  11. In the headers tab, correspond the request URL with the Tracker URLs from your spreadsheet. If you can’t find a match, research the request URL to see what tracker it corresponds to.
  12. Click the Payload tab. This shows what data the request is sending to a third-party tracker. You are looking for two primary types of data: user identifiers and PHI. PHI is commonly located in page URLs or titles.

    Payload Tab in Chrome Developer Tools

  13. If you can find a user identifier and any PHI, mark “Sends PHI?” with “Yes” in the spreadsheet.
  14. Repeat steps 9-13 for each POST item.

What’s Next?

Did you discover any potential pairings of a user identifier and PHI? In that case, it’s important to take immediate action to avoid non-compliance with the OCR ruling….and we’d love to help out.

Penrod’s HIPAA-compliant web tracking solution ensures your website doesn’t disclose protected data to third-party trackers.

About The Author


Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to get compliant?

Get a free OCR compliance action plan.

Schedule a 30-minute consultation on the right and get compliant.

 

Related Resources

07/01/20

Is Salesforce Health Cloud the Right Fit for Your Organization?

At Penrod, we often have health care clients ask if Salesforce Health Cloud is the right fit for them. From satellite clinics to larger healthcare systems and specialty…

# Blog # Health Cloud # Health Providers
Read More

06/25/24

Meta Ads and HIPAA Compliance

Learn how to navigate the choppy waters of regulatory compliance in this comprehensive guide on Meta Ads and HIPAA.

# Blog # Health Providers
Read More

06/25/24

A Complete Guide to the OCR Ruling

What HIPAA-regulated agencies need to know about online tracking technologies on their mobile applications and websites.

# Blog # Health Providers
Read More

06/10/24

How to See if Third-Party Trackers are Sending PHI from Your Website

Learn how to find out if your website's third party trackers are sending PHI.

# Blog # Health Providers
Read More

06/10/24

How to Conduct a Website Tracking Audit

Learn how anyone can conduct a website tracking audit with the apps you probably use every day.

# Blog # Health Providers
Read More

06/06/24

What is Salesforce Life Sciences Cloud?

In this article, we will explore Salesforce Life Sciences Cloud, delve into its potential use cases, and provide insights on when it will be available.

# Blog # Health Providers
Read More

05/31/24

Tips to Increase New Patient Revenue

To grow and sustain your medical practice, you must consistently attract and retain new patients. The intake step is where you need to start focusing on new patient…

# Blog # Health Providers
Read More