Facebook MetaPixel, HIPAA compliant website, HIPAA violation

Building a HIPAA Compliant Website


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Several recently exposed healthcare organizations reported use of the Facebook MetaPixelhase raised eyebrows, given that using the MetaPixel can be a HIPAA violation when it collects patient information. Since Facebook unabashedly shares data with advertisers, MetaPixel is not HIPAA compliant.

While professionals can’t use Facebook MetaPixel on their websites, well-constructed, public-facing websites can be used to accommodate patients and clients with a full range of needs. How can one be sure that a website is HIPAA-compliant?

Do Websites Need to be HIPAA-Compliant?

Before going through the process of making a website HIPAA compliant, first, one should ask these questions:

  1. Is protected health information (PHI) being transferred through the website?
  2. Is PHI being backed up on a server connected to the website?
  3. Is PHI being collected directly on the website?

If the answer to these questions is yes, the website must be HIPAA compliant.

Creating a HIPAA Compliant Website

The first step in creating a HIPAA-compliant website is finding a HIPAA-compliant web hosting service.

What to look for:

  • Does the web hosting service provide safeguards to secure data?
  • Will the provider sign a business associate agreement (BAA)?

Many popular web hosting services such as WordPress and GoDaddy are not HIPAA compliant as they will not sign business associate agreements (BAAs). However, providers such as Amazon Web Service (AWS) and Microsoft Azure are HIPAA compliant with signed BAAs and proper use.

The next step is ensuring that the service used to backup any website data is HIPAA compliant. Like a hosting web service, any data backup provider must have adequate safeguards and sign a BAA. Microsoft OneDrive and Google Drive are popular cloud storage providers that can be HIPAA compliant with proper configuration and a signed BAA.

HIPAA Compliant Website Tools

Using advertising tools to collect patient data without authorization is a HIPAA violation. While advertising tools such as Facebook MetaPixel cannot be used to collect patient data, other website tools can help to run healthcare practices efficiently and more conveniently. Such tools include online appointment schedulers, chat services, help desks, and encrypted web forms. To avoid a HIPAA violation, each add-on must be HIPAA compliant and make available a signed BAA.

This Article is Contributed by the HIPAA Compliancy Group

Need assistance with HIPAA compliance? The Compliancy Group can help!

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x