With new HIPAA standards introduced late in 2022, there are a lot of questions swirling throughout the healthcare industry about how to be data-driven marketers in this digital age without overstepping the latest HIPAA standards. Which tools are usable? Some of the most common tools, such as Google Analytics, are now in question as to whether they can be used at all. (HINT: They can, but you need to take some steps for it to be compliant. Keep reading.)
Most medical websites provide information about diseases and/or treatments, doctors that treat those conditions, and even an opportunity to request a new patient appointment through public-facing web pages... meaning visitors do not need to log in to view these things.
In the new HIPAA guidelines, specific data points about visitors to these pages, whether they are patients now or could be in the future, are considered PHI. That's right, nearly every visitor to your medical website will now need to have their data protected equally.
There are some exceptions, but in general, you will need to evaluate what you're collecting through your website and where it's being stored.
It's critical that information about medical website visitors is not passed on to third parties for the purpose of sending them individualized advertisements. The new rule states:
"Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules."
Essentially no more re-marketing is allowed. This doesn't mean you can't advertise.. you just can't customize ads specific to a visitor's "interests" that you noticed during their time on your website.
If you work in healthcare, you're already familiar with individually identifying information that you have to protect for patients. Now you'll need to do that for all visitors if they are looking at a medical condition, requesting an appointment, or searching for a physician who treats a specific condition. PLUS, there were some new data points added to the list:
Read more in our blog: 4 Datapoints You May Not Realize are PHI and What to Do About Them
The knee-jerk reaction for many organizations was to just take Google Analytics off of their website and stop running all ads. But where does that leave marketers and administrators responsible for increasing patients through an online presence?
Let's take a look at what changes you may need to make if you haven't already.
If your medical website, including physical and mental health services, has any of the following options on it for all visitors, then yes, you must be sure all data is collected and stored in a HIPAA-compliant manner.
Yes, they do. The addition of the following verbiage to the HIPAA standards now includes all visitors to a healthcare website:
"Individually identifiable health information" is information, including demographic data, that relates to the individual's past, present, or future physical or mental health or condition...
You should now be protecting all information that comes through your website as you have been for patients. There's a bit of a catch, however. There are more data points considered PHI than what you can see on a completed form. You cannot store information about the visitor's IP address, device ID, or location more granular than their state. This can be a bit tricky! However there are ways to avoid sharing this information with third parties, such as Google Analytics.
Google has made a lot of privacy updates in the past few years. However, their focus has been on meeting the European GDPR privacy requirements. While some of those requirements cross over with HIPAA, Google Analytics does not meet all of the requirements and will not sign a Business Associate Agreement (BAA).
Google has stated they are no longer storing IP addresses as part of their privacy updates. However, your visitors' device IDs and geographic locations smaller than a state are still in their system. Additionally, because some visitors will be logged into their Google account while using your website, Google Analytics will connect the user account to their activity and store that information on their non-HIPAA-compliant servers.
Not necessarily. If you have information about a medical or mental health condition on your website, you must be sure you're not storing information about the visitor's device, their IP address, and their location on non-HIPAA-compliant servers. If you're using Google Analytics, there's a chance that this information is being stored by Google, and you'll need to make some updates. Start by going through Google and turning off their access to personal information as best you can.
Read more in our blog: 4 Datapoints You May Not Realize are PHI and What to Do About Them
The Meta (also called Facebook) pixel is designed to track your visitors' activity on your website so that you can serve more customized ads to those same people through Facebook. This is precisely what HHS is trying to avoid. Even if you're not using the remarketing feature, the pixel is still collecting data about visitors that can't be left on a non-HIPAA-compliant server.
If your website has this pixel or any other ad pixel, it should be removed as soon as possible unless the company that has created the pixel will sign a BAA to ensure the visitor data is stored on a compliant server.
Collecting information for an appointment or to request medical records through your website is certainly acceptable, even on public-facing pages. You need to, however, be sure that the form service or appointment request service will sign a BAA and ensure that your data is stored in a HIPAA-compliant manner. There are also steps that need to be taken when notifying your staff via email of the request to be sure you remain compliant.
Depending on how your website is built, there can be other ways PHI is being stored in an unsecured way. WordPress websites use many different plugins. Each one will need to be evaluated. There are other content management systems that will store information, including IP addresses, about visitors unless you turn off various features.
There are quite a few options out there for anonymizing your website information and using HIPAA-compliant web services. Figuring out which are best for you can be overwhelming as you try to sort through each web service and what it stores. We are available to talk you through what you have now and recommendations for what you can do to make the website compliant.