There’s been quite a stir around the new HIPAA stance on trackers – and healthcare organizations are scrambling to find solutions.
We all know any data that’s viewed, collected, or stored about patients or potential patients must be protected. While most healthcare organizations are experts on the impact of HIPAA regulations on their operational practices, when it comes to marketing they’re often overlooked. In fact, there was a longstanding assumption that platforms like Google Analytics and Meta Pixel were compliant by default, but recent guidance from HHS highlights the importance of protecting PHI in relation to those tools.
In healthcare there’s still a marketing and advertising component to data, because creating awareness, winning new business (aka patients), and delivering an excellent patient experience is still necessary for growth. Collecting digital visitor data is a key piece of any successful marketing strategy and leverages the same signals of interest and intent as any marketing organization. But it can be difficult to do that while remaining compliant with HIPAA regulations. At the end of the day, protecting the privacy and security of patient information is the number one goal.
It comes down to how to capture the right data, do it compliantly, and then use it to deliver a better experience.
What’s the big deal with data trackers?
As digital marketing expands, digital analytics are increasing in popularity and the HIPAA implications must be considered. This goes for your own organization as well as any marketing agencies you may work with. Organizations have been relying on third-party solutions like Google to track and build digital patient data models – but the recent guidance means they can’t anymore.
When a user submits information on your website form, requests an appointment, or simply visits your site they could potentially be sharing personal health information, such as conditions, along with their personal identifiable information (PII) – which makes it protected health information (PHI). We know- it’s a lot of acronyms, but they’re critical ones to be familiar with.
According to the new guidance, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” In plain English, you can’t share sensitive information with any third-party trackers, even for marketing, without express consent from the individual (aka HIPAA-compliant authorization).
Forget the ifs, ands, or buts – with massive penalties for HIPAA violations and an increased public awareness of privacy, it’s not worth the risk. Even IP addresses are considered PHI, and since IP address is a standard piece of data collected on most (if not all) analytics and marketing platforms…healthcare organizations need to take note.
Think of a simple example: a new visitor comes to your website and visits a page about arthritis. The page content (health) combined with their IP address immediately makes that information PHI – because they can be individually identified and connected to that health information. Which means you can’t share it, transfer it, or send it outside your organization – even if it’s so called “anonymized”.
The problem with most tracking technologies is they’re third-party (outside your organization), which means by definition the data that’s captured is sent to them. Instant HIPAA violation. According to HHS, the interactions on the website or mobile app connect the individual to the entity – inferring a relationship. Even if the individual doesn’t have a relationship with the healthcare entity. Even if there’s no specific treatment or billing information. The use of the site or app basically infers some type of past, present, or future healthcare connection – and that’s protected.
But, what if my user is authenticated/signed in?
Most healthcare entities these days have patient or health plan portals, mobile apps, and more, which require a user to log in to view the information. This makes it even more critical to ensure the tracking is HIPAA-compliant, because in most cases these access points will have more PHI than an unknown or anonymous user visiting a website, including very sensitive information such as diagnosis and treatment plans or even billing information. If you’re using a vendor to collect, track, or manage this information (such as a marketing, analytics, or patient experience platform) you must ensure any data shared with them is permitted by the Privacy Rule - and you’ll need a BAA.
So, does that mean it’s ok to use tracking technology on unauthenticated pages?
Nope, sorry. Let’s face it, regulations are often intricate and confusing. You could drill down to the nitty-gritty and figure out which pages have no chance of ever collecting PHI, then separate them out from those that do, then figure out how to handle each, track some and not others – whew! Never mind, you get the idea. The reality is there are many situations where you may think it’s safe but it’s not, and again the risk is just too high.
Think of it at the page level – if an unauthenticated user visits a page about specific health conditions like liver disease, or searches for a doctor, or reads a blog about pregnancy – all of those activities can be connected to their IP, making it PHI. If any of that is collected by or sent to a technology vendor, HIPAA rules apply. The same goes for mobile applications.
The simple solution is to stop using third-party vendors to capture, store, or analyze data.
What about all the privacy compliance stuff on my website?
Still a no-go. Standard GDPR-type compliance banners and privacy declarations aren’t HIPAA-compliant. Again, any authorization must be a valid HIPAA authorization. To be clear:
- Including it in your privacy policy, notice, terms and conditions, etc. won’t cut it
- Website or cookie banners that ask for permission to use tracking technologies won’t cut it
- Your technology vendor can’t just agree to remove PHI or “de-identify” it.
I still need to track data to provide a great patient experience - what do I do?
The first thing any healthcare organization should do is evaluate your technology vendors: First, do they meet the definition of a business associate? Second, are the disclosures made to the vendor permitted by the Privacy Rule?
If the two above conditions are met, get a signed BAA that expressly lays out the vendor’s permitted uses and disclosures of PHI, and that the vendor will safeguard the PHI (HINT: this means they have to be HIPAA-compliant too).
Remember, any breaches on the part of your vendors will reflect on you as well.
The best solution is to scrap all that and simplify your life by using a first-party data capture solution that you own and control, directly within your HIPAA-protected environment. That’s the only sure-fire way to ensure you’re fully compliant, and not accidentally collecting risky information through messy JavaScript tags or backend IP or Device ID collection.
Some vendors will try to tell you there are ways to track visitor data without violating HIPAA – like using an analytics tool that supports two-factor authentication or enabling IP Anonymization and Data Masking. Neither of these are enough. Any third-party services connected to web analytics tools must comply with HIPAA for the entire system to remain compliant and secure. The only way to ensure compliance is to use web analytics and data capture solutions that don’t rely on cookies or third-party technology for monitoring user behavior.
It's also important for healthcare marketers to review all related policies and procedures on a regular basis to ensure continuous compliance with HIPAA regulations. Using a first-party data capture solution you own and control is the only secure way to track user behavior and build robust digital patient data models without putting patient privacy at risk.
Is Google Analytics HIPAA compliant?
While many healthcare organizations are aware that certain procedures must be followed when handling personal health information (PHI), there’s a lot of confusion around whether Google Analytics is HIPAA compliant.
The short answer is no. Despite features like IP Anonymization and data masking, you’ll never get a BAA from Google, and they even provide a HIPAA disclaimer they’re not HIPAA-compliant and you can’t use Google Analytics in any way associated with PHI.
What about GA4? Won’t that fix it?
Google recently announced they’ll be retiring the current version of Google Analytics, forcing all users to transition to the new version, Google Analytics 4 (GA4), by July 2023. The move is primarily privacy-related, addressing widespread privacy issues Google has struggled with in relation to their analytics offerings. GA4 provides enhanced privacy controls for both consumers and businesses and removes the previous reliance on cookies and IP-based user tracking. They’re leveraging Machine Learning and AI to change the type of data that’s accessible, changing the reporting interface itself, updating integrations with third-party tools, and making updates to tracking actions – specifically events and goals.
The new GA4 doesn’t log or store IP addresses, but it does still use device IDs and there’s a whole host of other problems related to making that switch. Although GA4 is a positive step in the direction of general privacy protection, it’s still a third-party tracker and always will be - which means it can’t ever be HIPAA-compliant. The new directive issued in January clearly advises healthcare organizations NOT to use third-party trackers, and it’s really that simple. Time to find yourself a first-party data solution!