What You Need to Know About Analytics and HIPAA

What You Need to Know About Analytics and HIPAA
Getting your Trinity Audio player ready...

In 2023, the FTC fined Better Help and GoodRx for failing to protect patients’ private health information under HIPAA rules. Regulators also notified 130 or so hospital systems that healthcare entities were responsible for safeguarding PHI–even on services like Google Analytics.

This represents a significant update in the way that HIPAA is enforced. For healthcare organizations and marketing teams these new rules intersect common marketing best practices in ways that require some adjustment. After all, creating custom experiences for web visitors means tracking who visits your website, which procedures are popular, providing easy ways to communicate, and more.

Creating an individualized marketing experience while staying on the right side of HIPAA regulations can seem like a tall task–but it’s not impossible.

Tracking Data and HIPAA

Most marketing teams use several types of tracking softwares. Maybe it’s Pixels or perhaps Google Analytics. The goal of these softwares is simply to gather better information so your marketing campaigns can be tailored to patients.

Under current HHS Guidance, these tracking softwares are not allowed to collect any two or more pieces of Private Health Information (PHI). This can include the name or location of the user–as well as the IP address of the user. This would now be considered a HIPAA violation. If you would only collect a user’s age for example, that is not a HIPPA violation. The violation comes in when you are collecting two or more pieces of PHI. 

Some versions of Google Analytics, such as Universal Analytics and Google Analytics 360 will automatically store and track IP addresses. That would now be considered a HIPAA violation. It is debated that Google Analytics 4, however, does not track IP addresses but this is still under debate.

What Do You Need to be Watching?

Most marketing campaigns rely on a wide variety of tools in order to achieve their goals. Not all of these tools represent a HIPAA compliance risk–but some of them might. The most common places where PHI may be hiding include the following:

  • Analytics tracking
  • Pixels on site
  • Forms fills
  • Where form information is stored
  • Hosting
  • Cloud storage
  • Plugins and apps
  • Platforms used for local SEO or reviews
  • Video on your website
  • Maps on your website
  • And possible more!

It’s important to ensure that PHI is protected no matter where in your electronic ecosystem it may reside.

How to Market with Success in this New Environment

There’s the potential for healthcare providers to feel caught between a rock and a hard place here. Individualized, custom marketing is critical to growth in a patient-as-consumer healthcare ecosystem. But some of the most potent tools as your disposal are now significant compliance risks. How should you proceed?

Luckily, there are a few things you can do to protect yourself. None of this should be construed as legal advice. We are not lawyers. Instead, we simply offer insight into our experience as healthcare marketers who have helped clients navigate this challenging dynamic.

So, here are a few things you can do:

Touch Base with Your Compliance Team (and Your Lawyers)

One of your first steps should be making sure your HIPAA compliance team (and your compliance attorneys) know that all vendors–including analytics software and third party plugins–must be HIPAA compliant. It may be worth discussing what kind of data these tracking softwares collect (and where that data goes).

Even if you think everything is already HIPAA compliant, it’s probably worth re-checking and reviewing with your compliance team just to be sure. You can also use the Security Risk Assessment Tool from the Office of the National Coordinator for Health Information Technology (ONC).

Invest in a CDP

A customer database platform, or CDP, is a tool that helps you manage information from third-party data tracking softwares. But there’s a distinction: it can help you anonymize PHI you collect. (This means that using a HIPAA compliant CDP and setting it up properly is absolutely critical.)

Which CDP service is “best” will depend on your needs and goals. Options include Salesforce, RudderStack, and a multitude of other options.

Use HIPAA Compliant Tracking Software

This one might seem obvious, but it’s worth noting–because not everyone is aware HIPAA compliant analytics solutions are even an option! The OCR recommends the following resources to help:

These resources can help provide you with the knowledge and tools you need to help ensure your web presence is HIPAA compliant. Working with an experienced healthcare marketing agency, such as PatientX, can help guide you on HIPAA compliant solutions in the digital space.

The Department of Health and Human Services also recommends either:

  • Only using analytics services who are willing to sign a Business Associate Agreement (or BAA) 
  • Signing with a BAA vendor who can de-identify information before that information makes its way to your analytics platform. 

Focus on the Patient Experience

As you look at updating your HIPAA compliance strategies, it’s important to keep an eye on the overall experience of your patients. Do patients find it easy to use your website and make appointments? Does every patient feel welcome when they walk into your facility? Are patient expectations realistic? These are all aspects of the patient experience that you can help tailor through marketing–and that should be top of mind even as you change aspects of your marketing strategy that patients will never see.

There is a Way Forward

It’s important to emphasize that–and again, this is not legal advice–there are ways to manage HIPAA compliance with your data-driven marketing needs.

Often, this will simply mean having the right policies in place, using the correct tools, and ensuring marketing staff are properly trained when it comes to HIPAA. If you have questions about how or where to start, the team at PatientX is here to help. Contact us today!

*** The content of this blog is meant to guide you but regulations change quickly so all information should be carefully considered. We advise you to consult with your compliance team and/or your attorneys with any questions.