If you’ve spent any time in the healthcare marketing space over the last year, you’ve likely heard the rumblings of frustration, and even confusion, from your peers regarding HIPAA and online tracking. You may have even felt panic after learning of the lawsuits brought against major healthcare systems over their alleged unauthorized disclosure of patient data to third parties through tracking technologies.
In a world where nearly every move we make online is tracked and recorded, concerns related to patient privacy have caused the U.S. Department of Health and Human Services (HHS) to join the conversation about tracking user behavior online. In December 2022, the HHS issued guidelines emphasizing the responsibility of healthcare companies to protect patient data when using online tracking technologies.
While it may seem obvious that healthcare entities should not be capturing protected health information (PHI) through any online marketing avenues, the guidelines raise questions over what HHS considers PHI in the first place. We can all agree that if I were to use my personal email to login to my healthcare clinic’s online patient portal, and my email address is then sent to Google, that violates HIPAA. But the waters become a bit cloudy when we think about unauthenticated pages providing general health information.
For example, let’s say I visit a web page about migraines on my local healthcare clinic’s website. Would the clinic be in violation of HIPAA if my geographic location was shared with Google after this website visit? According to HHS, the answer is yes. They write, “…even if the individual does not have an existing relationship with the regulated entity, and even if the… IP address or geographic location does not include specific treatment or billing information like dates and types of health care services… all such [information] collected on a regulated entity’s website or mobile app generally is PHI.”
Given this example, it seems like healthcare marketers are pretty much always in violation of HIPAA when tracking technologies, such as Google Analytics, are placed on their website. So what now? Is healthcare doomed to revert back to the dark ages, long before tracking and attribution was possible?
Not quite! Fortunately, technology solutions already exist to help navigate the treacherous waters of HIPAA in 2023.
Unlike Google and Meta, alternative vendors exist that will sign a Business Associate Agreement (BAA), a legally-binding agreement between HIPAA-covered entities and their business associates to protect PHI, thus ensuring healthcare entities’ compliance with HIPAA Rules. The way these technology solutions work is by functioning as a “middle-man” in the data tracking process and de-identifying user data before sending along to 3rd party tracking tools. By leveraging one of these solutions, tracking can stay status quo, allowing healthcare marketers to track user behavior without revealing the user.
Of course, nothing in life is free, and the same is true here. Healthcare marketers will need to account for an additional line item in their budget for one of these technology solutions. But it sure beats the cost of a lawsuit!
If you’ve run into trouble, or aren’t sure whether you’re in compliance, our team is happy to help. When it comes to advertising in healthcare, we understand how to navigate the nuances of data privacy, and we can help simplify the conversation.