Summary: For the past decade, healthcare teams have used web trackers that enable digital analytics and advertising without regard for HIPAA compliance. That all changed in late 2022 with the new web tracking guidance from HHS. Suddenly, healthcare teams had to entirely rethink their use of traditional web trackers. The new guidance doesn't mean healthcare teams have to stop using digital ads and analytics; it means they must take a different approach to using those tools — a privacy-first approach. This article will help healthcare teams understand how a privacy-first approach to ads and analytics is the only way forward if covered entities want their websites to remain HIPAA compliant.
If you've ever bought something from a forward-thinking e-commerce company like Lululemon, you know the experience can be seamless: Visit their website, casually browse their products, put a few in your cart, see other products that are similar and check out in just a few clicks. Even if you leave their website without buying anything, you'll see ads for their products on Instagram, TikTok, Reddit and other digital platforms.
That seamlessness is controlled primarily through web trackers. For healthcare marketers, those web trackers come with a risk of HIPAA violations, which means healthcare marketers mostly avoid them. As a result, healthcare marketing doesn't feel as seamless as e-commerce.
It's not that healthcare marketers want to be old fashioned. Healthcare marketers are limited by what they can do because of uncertainty surrounding patient data privacy as it relates to HIPAA. Hyper-targeted advertising, personalization and timely messaging have been off-limits to many healthcare organizations.
That's not fair to healthcare marketers because they're competing for the attention of the same consumers as Target, Amazon and others. Consumers expect great experiences, but healthcare marketers can't provide that because of data privacy limitations.
But that's all changing with the Office for Civil Rights at HHS' latest guidance on web tracking technologies. I know you just read that sentence and are thinking to yourself, "No, the latest guidance made it even harder to use web tracking technologies to create great marketing experiences."
Truthfully, the latest guidance left the door open for healthcare marketers to use web tracking technologies. The guidance made it clear exactly what you can and cannot do. And when you know the rules of the game, you can develop a strategy to win.
What the guidance says
The guidance is extremely thorough, but it all comes down to one passage:
"Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules."
Let's zero in on just one part of that passage: impermissible disclosures of PHI. That's the part that says, "Don't share PHI with a web tracker unless you have privacy protection in place." Privacy protection means having in place either a business associate agreement (BAA) with the web tracking vendor or a governance tool, like a healthcare privacy platform, to prevent PHI from getting to those vendors.
The guidance isn't saying, "Don't use tracking technologies at all." It's just saying, "think about data privacy and put protections in place before using one of those trackers."
Essentially, the entirety of the guidance is saying not to use tracking technologies that collect PHI if you can't control what data those tracking technologies collect.
And that's the key: control of PHI. If you can control PHI, you can control compliance.
Why web trackers are a problem for HIPAA compliance
Web trackers that exist on your website are most often used for ads, analytics and personalization. Here are a few examples:
- google-analytics.com – The URL that loads Google Analytics
- g.doubleclick.net – The URL that loads Google Ads
- facebook.net – The URL that loads the Facebook pixel
Each one of those, and dozens of others, collects PHI about your website visitors. Sharing PHI with those web trackers, without a BAA, is a HIPAA violation.
Web trackers collect PHI through IP addresses and health information that exists on your website. All web trackers have access to IP addresses, which is a personal identifier. HHS specifically says "All geographic subdivisions smaller than a state" are personal identifiers. IP addresses are, without a doubt, "geographic subdivisions smaller than a state."
And most healthcare websites contain health information through the videos and pages on their websites. A webpage about osteoporosis, for example, contains health information.
So, when a website visitor visits that page about osteoporosis, the Google Analytics web tracker now knows the IP address of that visitor and health information about them based on the pages they viewed.
The same holds true for any otherweb tracker on your website that enables high-performance marketing.
But, as stated earlier, it's all about controlling PHI. If you take a privacy-first approach to ads, analytics and the other tools that enable high-performance marketing, you'll be able to control PHI.
The door is open for a privacy-first approach
A quick recap of everything so far:
- Healthcare marketers want to use web trackers, but many don't think they can.
- The OCR HHS' guidance made it seemingly more difficult to use web trackers.
- Web trackers collect PHI by default.
- If you take a privacy-first approach, you can control the flow of PHI to those web trackers.
Let's talk about that privacy-first approach. A privacy-first approach is a five-step framework that requires healthcare marketers to evaluate web trackers to determine their HIPAA risk:
- Audit - Collaborate with your product, marketing, IT and legal teams to create an inventory of all the tracking technologies that exist on your website. Then, assess the functionality and purpose of each identified tracking tool.
- Analyze - Examine whether the tracking tools are receiving PHI by reviewing the data each tool collects. If the tool collects PHI, note it on your audit list for further action.
- Verify - Ensure a comprehensive BAA is in place with each tool collecting PHI. If no BAA exists, consider alternative tools, or move to the next step.
- Govern - For tools without a BAA, use a healthcare privacy platform to govern the flow of PHI to those tools. These platforms should sit between the website and marketing tools to ensure no PHI reaches unauthorized tools.
- Monitor - Continuously monitor your website for new tracking technologies that might be added and ensure they comply with the privacy-first approach. Any new tools found should be analyzed and verified as in previous steps.
If you take this privacy-first approach to web tracking as a healthcare professional, you'll be able to ensure HIPAA compliance while unlocking the same high-performance marketing experiences that innovative startups and forward-thinking e-commerce companies have enjoyed for years.
To learn more about bridging the gap between patient privacy and digital marketing, visit freshpaint.io