Yesterday the EFF and the AP are reporting that Healthcare.gov sends personal health information to 14+ third-party websites. This includes “zip code, income level, smoking status, pregnancy status and more.” This is terrible, but sadly isn’t surprising.

As we work with more and more healthcare-related startups, we see that many aren’t aware of how HIPAA laws apply to them in terms of Protected Health Information (PHI) and third parties.

First, there are rules about what you can do with that data in your own systems (and even this gets goofed far too often), but you have to be extra careful when you don’t control the data. Healthcare.gov isn’t sending data to these 3rd parties intentionally, but by sending analytics data they inadvertently leak a lot of PHI.

Do you have 3rd party JavaScript on your site? Google Analytics? Clicktale? Do you know what data it sends to these services? Do you realize that you may be breaking the law by sending patient data to them?

Healthcare is a hot market now, but we can’t do all the cool things we do on many websites without giving them much more thought and care. Healthcare.gov should know better, but I worry much more about all the small startups and consulting firms that don’t have full experience with HIPAA and legal requirements.

Need help securing your Healthcare startup? Talk to us.