Session Replay Scripts: Time to Go Under the Hood on Your Organization’s Website

**This article was first published in the American Health Lawyers Association newsletter and is reprinted with permission.

Given the ubiquity and utility of analytics in all facets of the modern health-care delivery system, it is not surprising that many organizations would be tempted to use these tools as marketing aids on their websites. Recent articles by privacy researchers at Princeton University’s Center for Information Technology Policy (CITP) underscore the need, however, to be careful when deploying analytics software in this manner.

In particular, thought leaders at Princeton’s CITP detailed how “session replay” scripts possess the capacity to record a consumer’s entire use of a website and to pass that information to third-party servers as if “someone is looking over [the consumer’s] shoulder.”  Session replay script software, as its name implies, permits website owners to “replay” user interactions with their website.  It  is used on many of the Internet’s most visited websites including, as detailed by the CIPT, on the consumer-facing website for one of the country’s largest retail pharmacy chains, in ways that should alert health care providers to the need to ensure compliance with HIPAA and other privacy and data security requirements.

What is a Session Replay Script?

Most commercial websites employ third-party analytics tools to record basic user behavior – such as a consumer’s searches and pages viewed (e.g., Google analytics).  Session replay script software goes farther and records keystrokes, mouse movements and scrolling behavior along with the entire contents of the pages visited.  Session replay scripts are provided by numerous technology companies, such as Yandex, HotJar, FullStory or SessionCam.  Consumer usage data is transferred from the site to the script providers’ servers, where individual user sessions can then be replayed by the website owner.  The intended purpose of these tools is to gather more detailed intelligence regarding how users interact with websites, discover broken or confusing pages, and, perhaps, learn when a consumer abandons the sales process.

The Catch

In multiple articles published in recent months, the Princeton authors identified two major failings of these session replay script services – (1) the services’ failure to thoroughly and automatically redact sensitive personal information; and (2) the disconnect between website owners and the providers of these technologies.

Session replay script services ostensibly allow for sensitive personal information to not be collected from the consumer through instructions to the software to redact particular fields from the recording. This redaction can occur both manually, through the website development team instructing the software to not collect certain fields, and automatically, as a feature of the session replay script software.  While sensitive information can be excluded from the recordings manually, for this redaction to work, the website owner would need to carefully check each page of the site and designate by hand the fields to be redacted.  In addition, the process may need to be repeated each time the site is updated.  The services are also, in theory, designed to automatically redact certain information, such as credit card numbers.  However, unless all fields entered by a consumer are redacted, the Princeton authors found that automatic redaction would frequently fail due to the website not being structured to be compatible with the services’  finicky redaction settings.

In addition, the authors note that website owners may be unaware of the full scope of information collected by these services on their own websites. In some instances, the website owners may not even have a direct relationship with the script provider. Instead, the website owner may use an ad network or other third-party vendor who, in turn, employs the session replay script on their site.

Consumer Pharmacy Site

The Princeton researchers specifically described the collection of information from the pharmacy section of a popular consumer-retail website, which embedded the FullStory session replay script. While this website apparently used manual redaction, the authors found that sensitive personal information including medical conditions and prescriptions were still leaked to FullStory along with the names of users.

The website of a HIPAA covered entity or business associate can, in theory, deploy session replay script technology (even without redaction); however, numerous steps would need to be undertaken to ensure the privacy and security of protected health information (PHI) processed through the website.  Most obviously, as the information would ordinarily be stored on the servers of the script provider, a HIPAA business associate agreement (BAA) must be put in place between the parties.  One challenge to procuring a BAA from the script provider is that the providers themselves frequently note in their Terms of Use that their services are not to be used in connection with the collection of PHI or other forms of sensitive personal information.  In addition, HIPAA strongly encourages encryption while the data is in transit, and requires proper disposal of the data. There also may be other federal (e.g., FERPA), state and international (e.g., GDPR) laws the parties need to contend with depending on the particular manner a session reply script is implemented.

Time to Check is Now

Given how common these scripts are in commercial websites, we expect that numerous health care organizations are being advised by their marketing consultants to employ these technologies on their own websites.   Session replay scripts can drive insights about how websites are being used to enhance the consumer’s experience.  The findings of Princeton’s researchers, however, underscore the need to use these technologies with proper controls in place.

© Copyright 2018, American Health Lawyers Association, Washington, DC. Reprint permission granted.