Skip to content
All Blogs

Risky Business: The truth about PII and third-party applications

Author: Tiffany Staples


Personal Identifiable Information (PII) isn’t just a boring term being thrown around by hospitals and healthcare providers. It’s a classification for any sensitive information that can be used to identify a person, and healthcare organizations are collecting more of it than ever before. This sensitive information includes first and last names, addresses, phone numbers, social security numbers and digital credentials like email addresses, logins, and even passwords. As healthcare embraces the digital revolution, healthcare providers and hospitals have ramped up the amount of PII collected from their patients. While this data is necessary to provide healthcare services and maintain patient records, third-party analytics solutions are creeping in like an uninvited guest, putting your PII at risk. Sure, they may offer valuable insights into patient populations, but what about the potential consequences of not managing PII compliantly?

These data technologies collect and aggregate your patient data, so it can be analyzed to provide insight into patient populations, inform communication strategies, and alert patients to potentially life-changing innovations. But here's the catch: they store your patient data on their own servers. So, your patient's information is leaving the security of your IT systems and going into someone else's – i.e. a third party – and then spit back into yours. Not ideal, especially when you want to stay compliant with new HIPAA regulations and prevent data exposure.

Worse, third-party analytics solutions lack the necessary security measures to protect PII, using insecure protocols to transmit data or store data in unsecured databases. Think about third-party cookies, the same cookies being used to track your patient data. These technologies lack strict access controls and lead to unauthorized access to privileged information, which is exactly why they’re now banned from operating systems like Apple iOS and browsers like Firefox and Safari.

Patients often don’t realize their data’s being collected and analyzed by third-party analytics solutions, and if a patient hasn’t expressed explicit consent for their data to be used this way, it’s a HIPAA violation. This lack of transparency erodes trust between patients and healthcare providers. Not a situation you want to find yourself in.

Not only do you not want external parties seeing valuable patient data, the consequences of a larger-scale data breach can be catastrophic. Patients may suffer from identity theft or financial fraud, while healthcare providers may face fines and lawsuits for violating data privacy laws. Data breaches damage the reputation of a healthcare provider, leading to a loss of trust from patients and the wider community. Why leave yourself exposed when you can decrease the risk from the start?

So, what can healthcare providers do to protect PII? First, conduct a review to ensure you're compliant with new HIPAA regulations regarding patient PII data. Establish and execute strict access controls, and use secure protocols for transmitting and storing patient data. Be transparent with your patients about how their data is being used, and make sure they've freely given consent for their data to be used in this way.

Third-party analytics solutions may provide valuable insights into patient populations, but they also pose a significant risk to patient privacy. It’s up to healthcare providers to ensure these solutions are secure and their patient data is protected by ensuring they have the right technology in place to handle PII and patient data correctly. By implementing strong security measures and being transparent with patients about how their data is being used, healthcare providers can maintain the trust of their patients and ensure that PII remains confidential.

Need some help making sure your marketing data capture is HIPAA-compliant? We can help! 

Subscribe to our blog for regular updates!