Creating privacy-conscious care journeys: Navigating data tracking in healthcare

The blog discusses the new guidance issued by the Office of Civil Rights (OCR) on pixel tracking and HIPAA compliance for healthcare providers and insurers.

By Darcelle Pluviose

After several of the largest health networks shared reports of patient data breaches, on December 1, 2022, the Office of Civil Rights (OCR) at the U.S. Department of Human Services (HHS) issued new guidance on pixel tracking and HIPAA for Covered Entities (healthcare providers and insurers) and Business Associates . The guidance specifies that the use of tracking pixels without a business associate agreement (BAA) may be a violation of  HIPAA. And while the bulletin directly cites third party pixels, it provides additional guidance on how HIPAA applies to regulated entities’ use of all “online tracking technologies,” including:

  • Tracking on user-authenticated web pages

  • Tracking on unauthenticated webpages

  • Tracking within mobile apps

  • HIPAA compliance obligations for regulated entities when using tracking technologies

Pixel tracking and third-party cookies continue to cause issues across all industries, and especially those dealing with sensitive data like HLS. Broader industry trends point to a shift towards first-party data, and an increase in consumer demands for transparency around their data/privacy. That’s why Twilio Segment is built with privacy at its core and focuses on first-party data, to ensure cleaner data for your company, and stronger protections for your patients and members. 

It is more risk-averse (and cost effective!) to invest in a solution that can sign BAAs and prioritizes first-party data where you can be sure that the data isn’t being shared to additional parties, than to hack together workarounds with HIPAA-ineligible platforms and unintentionally find yourself in noncompliance. 

The history of HIPAA

The Health Insurance Portability and Accountability Act, or HIPAA, went into effect in 1996 and created a set of “national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” HIPAA has been amended several times in the last decade and a half, and now consists of several rules (Privacy, Security, Breach Enforcement, Omnibus) that together cover a broader group of healthcare measures including reducing fraud and waste in healthcare, and providing a more comprehensive guideline on the management of Protected Health Information (PHI). 

Additionally, the Health Information Technology for Economic and Clinical Health (or HITECH) Act of 2009 transformed healthcare’s use and creation of ePHI (PHI that’s created, collected, used, maintained, or transmitted electronically) by incentivizing the adoption of electronic health records (EHRs), which resulted in an increase in adoption from 3.2% in 2008 to 90% 2017, just under ten years after the act went into law.

While HITECH improved the interoperability of EHRs and health tech across the industry, it also expanded the Privacy and Security Rules to include Business Associates when transmitting PHI on behalf of a Covered Entity, thus strengthening patient privacy protections. And though HITECH further defined PHI and ePHI, along with the proper safeguards needed to protect them–organizations have struggled to properly interpret and enforce these safeguards with the rapidly shifting tech environment of today. 

As industry leaders in privacy, Twilio Segment understands that our platform is only one element of an organization’s compliance strategy, since HIPAA isn’t a set-it-and-forget-it endeavor. It’s an ongoing responsibility to ensure PHI is being properly stored and shared with only the appropriate parties. So while no tool will eliminate the risk entirely, building on a HIPAA-eligible platform that uses first-party data is a strong foundation to prevent improperly sharing data with non-compliant vendors. 

The problem with pixels

At Twilio Segment, we’ve promoted the use of first-party data since day one, so there are already several articles on the Twilio Segment blog that touch on the inherent risks that come with pixel tracking. But for those unfamiliar, third-party pixels are stored on an end user’s browser, vs. a company server, and track this user’s movement from site to site, across the web. So while your organization may only be using pixels on a patient portal sign-up page, or even a newsletter, this may be considered PHI in the aggregate if there is PII (name, address) connected with health related information (the newsletter topics). This is just one example of how a seemingly innocuous scenario can quickly become noncompliant. 

With the “death” of the third-party cookie on the horizon, it’s already a good time to reassess your organization’s approach to providing engaging patient experiences while navigating a cookieless world. With proper consent management and compliant data collection, you can use the information patients allow you to track to provide them with a modern, personalized, and intuitive care journey. 

Risks with other tracking technologies 

Now that we’ve reviewed some of the privacy issues that can arise with using tracking pixels, we’ll briefly touch on some of the other “tracking technologies” referenced in the HHS briefing, and that often garner comparisons to CDPs.  

Tag Managers

A tag manager is similar to a CDP since they both allow you to collect data from website visitors, but is fundamentally different because they are built around third-party pixels and scripts (aka “tags”). For a more technical breakdown between the two, check out our blog detailing why a tag manager is a frenemy to the CDP. Tag managers are limited in the type of data they capture (mainly web-based), and are more susceptible to non-compliance with privacy legislation and initiatives.

Data Management Platforms (DMPs)

DMPs are systems designed to aggregate generic data to help with advertising, so they are limited in how they can be practically used by marketers. DMPs can tell you about a general audience, but can’t give you insight to the patients you actually have and, therefore, won’t help you leverage data to create more meaningful care journeys. 

Customer Relationship Management (CRM) Tools

CDPs often get compared to CRMs because they both collect customer data, but as detailed in Segment’s blog on CRM vs CDP, the main difference is that CRMs organize and manage customer-facing interactions with your team, while CDPs collect data on customer behavior with your product or service. Both deal with data collection, but the two are not 1:1 replacements–even a HIPAA compliant CRM won’t give you access to the behavioral data to generate personalized care experiences. 

How Segment is supporting privacy and compliance


Twilio Segment CDP offers several solutions to not only manage your organization’s data, including PII and PHI, but to also set privacy standards that enforce governance, access control, and overall data best practices. As a HIPAA Eligible Service, Segment operates on what is commonly referred to as the “shared responsibility model” where customers can build HIPAA compliant workflows with Segment, in accordance with Architecting for HIPAA.  Below are some of the features and functionalities, however, please visit Twilio and HIPAA for more information on all eligible products. 

  • Facebook, Google, TikTok 

    • Segment encrypts all properties you designate as PII before sending to FB, Google and TikTok Pixels in accordance with their platform requirements. Refer to the Segment documentation for the list of fields automatically included for each destination.

  • Segment Privacy Overview 

    • Workspace designated as a HIPAA Project, once BAA is in place

    • When enabled, Privacy Portal to automatically detect and classify PII and PHI and create a dynamic customer data inventory with built in risk-based classification

    • Accelerate compliance with regulations like the GDPR and the CCPA with automated data subject rights management and an open source consent manager.

    • Auditing whenever PHI is accessed or configured

To learn more, check out our upcoming webinar with Forrester and K Health on The Future of Healthcare Technology: Data-driven trends and tactics to improve ROI and patient outcomes!

The state of personalization 2023

The State of Personalization 2023

Our annual look at how attitudes, preferences, and experiences with personalization have evolved over the past year.

Recommended articles


Want to keep updated on Segment launches, events, and updates?