Penrod Blog

How to See if Third-Party Trackers are Sending PHI from Your Website

Written by Matt Fiel

After the OCR ruling, marketing and legal teams have been trying to balance risk and the use of website trackers. After the first ruling and some updated guidance, the OCR’s position is clear: regulated entities cannot send PHI to third-party trackers who won’t sign a business associate agreement.

In a previous blog, we showed how to see which trackers are running on your website. Now, let’s see which of those may be sending PHI. For this blog, we’ll assume you have already created a list of the trackers your website uses – so we recommend you do that first.

Let’s get started.


Start with the Spreadsheet You Already Created

The spreadsheet we created in the previous blog contained:

  • URL of the page
  • Tracker Name
  • Tracker Website
  • Whether you have a business associate agreement with the tracker
  • Whether the tracker may send PHI
  • Additional Details

It looked like this:

Spreadsheet of Third-Party Web Trackers

Consolidate Requests with the Trackers

Each tracker you identified on the spreadsheet from your website probably sends multiple requests. It’s time to find those.

Follow these steps:

  1. Open Google Chrome
  2. Navigate to your website’s homepage
  3. Right-click in the middle of the page.
  4. In the menu that appears, select “inspect“.
    Inspect in Chrome Developer Tools
  5. A new window will appear. In the new window, click the “Network” tab.
  6. Refresh your web browser.
  7. A list will appear on the left. This list contains all the network requests your website is making.

    There are two primary request methods: GET and POST.

    As the name implies, GET methods are requests your website makes from another website. As a result, they’re not our primary concern because they shouldn’t be sending any data.

    However, POST requests can be concerning because they send data to third-party trackers.

  8. Find POST requests by typing “​​method:POST” in the search bar.

    Network Requests Tab in Developer Tools

  9. Select the list item. A sidebar will appear.
  10. In the sidebar, note the “Headers” and “Payload” tabs.
  11. In the headers tab, correspond the request URL with the Tracker URLs from your spreadsheet. If you can’t find a match, research the request URL to see what tracker it corresponds to.
  12. Click the Payload tab. This shows what data the request is sending to a third-party tracker. You are looking for two primary types of data: user identifiers and PHI. PHI is commonly located in page URLs or titles.

    Payload Tab in Chrome Developer Tools

  13. If you can find a user identifier and any PHI, mark “Sends PHI?” with “Yes” in the spreadsheet.
  14. Repeat steps 9-13 for each POST item.

What’s Next?

Did you discover any potential pairings of a user identifier and PHI? In that case, it’s important to take immediate action to avoid non-compliance with the OCR ruling….and we’d love to help out.

Penrod’s HIPAA-compliant web tracking solution ensures your website doesn’t disclose protected data to third-party trackers.

About The Author

Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to get compliant?

Get a free OCR compliance action plan.

Schedule a 30-minute consultation on the right and get compliant.