HIPAA Means Turning Off External Services

Yesterday the EFF and the AP are reporting that Healthcare.gov sends personal health information to 14+ third-party websites. This includes “zip code, income level, smoking status, pregnancy status and more.” This is terrible, but sadly isn’t surprising.

As we work with more and more healthcare-related startups, we see that many aren’t aware of how HIPAA laws apply to them in terms of Protected Health Information (PHI) and third parties.

First, there are rules about what you can do with that data in your own systems (and even this gets goofed far too often), but you have to be extra careful when you don’t control the data. Healthcare.gov isn’t sending data to these 3rd parties intentionally, but by sending analytics data they inadvertently leak a lot of PHI.

Do you have 3rd party JavaScript on your site? Google Analytics? Clicktale? Do you know what data it sends to these services? Do you realize that you may be breaking the law by sending patient data to them?

Healthcare is a hot market now, but we can’t do all the cool things we do on many websites without giving them much more thought and care. Healthcare.gov should know better, but I worry much more about all the small startups and consulting firms that don’t have full experience with HIPAA and legal requirements.

Need help securing your Healthcare startup? Talk to us.

Photo of Daniel Morrison

Daniel founded Collective Idea in 2005 to put a name to his growing and already full-time freelance work. He works hard writing code, teaching, and mentoring.


  1. January 21, 2015 at 15:43 PM

    Awareness of the issues around HIPPA is necessary working in any sector of the tech industry that could come in contact with healthcare. Unfortunately the magnitude of these issues and the complications in dealing with them mean that many smaller clients (that I deal with) end up avoiding collection of PHI altogether, or are forced into using separate systems that are already hardened for medical / HIPPA usage.

    Even the best security measures can’t protect people from themselves. I had a meeting with a healthcare provider last week that has had patients send them PHI via their Facebook page!