Originally published March 25, 2024. UPDATED June 28, 2024
After the Department of Health & Human Services (HHS) extended the definition of PHI at the end of 2022, broadening the definition of PHI and restricting the use of tracking technologies on public-facing web pages, we have yet another change. On June 20th, a U.S. District Court judge determined that some of the guidance was an overreach.
So, what part of the most recent HIPAA updates are still in effect, and what can we let go?
The judge specifically addressed the portion of the guidance that said you could not allow Google (or other third-party services with no BAA) to receive your web visitors' IP addresses if they are looking at public-facing pages related to physicians or health conditions. If you removed Google Analytics from your website when the December 2022 rules were released, it's probably safe to put it back.
That being said, we don't recommend you give Google Analytics carte blanche access to all of the information that they can collect about your web visitors. There are switches that can be turned on and off, giving them only what is absolutely necessary to report on your visitors.
It's also important to note that this could be appealed and the rules return and the judge did not issue a permanent judgment, which means this could come back in some form in the future.
Want to know what to do in Google Analytics 4? Set up a time to talk with our team.
Vacating the IP address + healthcare web page views does not change other parts of the latest HIPAA requirements. Web trackers are still not acceptable, even on public-facing websites. That's because web trackers, like the Meta Pixel, collect more than an IP address. They also know which ads you specifically clicked through a clickID, which pages you viewed after clicking the ad, and which conversion actions you took. In many cases, that information can be tied to an email address.
By default, web trackers collect HIPAA identifiers, such as IP addresses, Ad Click IDs, and even email addresses, as well as health information like page URLs and button text. Those two components combined are considered Protected Health Information or PHI—and the HHS concluded that sharing PHI with a non-HIPAA-compliant tool was a privacy violation.
Google Ads can also fall into this category. While there is not a "pixel", there is code on your website that reports data about your visitors back to Google, including which pages they converted on, and, if they're a Google user, their name, and other browsing history.
Both Meta and Google offer the capability to "remarket" to website visitors based on the pages they viewed while on your website. To make remarketing work, the ad service such as Facebook or Google, is following your website visitors on other sites to deliver them your ad.
This is not recommended for healthcare companies. We've been saying this for years because it can nudge into a very personal zone and can make people uncomfortable when they see ads for a cancer center, a face lift, or any other medical condition appearing while visiting other websites. But now it's more than just uncomfy, the HIPAA rules require you to avoid using web tracking technologies on covered entities' websites.
The 2022 policy update stated that healthcare marketers were prohibited from using website trackers unless they obtained explicit permission from their website visitors. This brought on the use of “consent banners” that appear when you visit a website. While there may be a need to disclose cookies used on your website to meet state privacy laws, that is not a part of the HIPAA rules. And simply asking for permission to track the visitor is not enough. PHI is still being collected and handed to non-HIPAA-compliant third parties.
NET NET: Asking permission to track the visitor doesn’t meet HHS requirements. You still can’t collect data that is considered PHI unless you're doing it through HIPAA-compliant forms or other services that have a BAA with the practice.
If your medical practice, hospital, or other covered entity has not yet taken steps to gather website data in a HIPAA-compliant way, and you want your marketing team to use 21st-century tactics, then follow these steps to get compliant:
You have to know what’s running to know what you may need to change. This can include the Facebook pixel, Google Ads, embedded forms, and any appointment-setting services.
If you’re not sure how to tell, we'll run a free audit for you.
This is a lot to think about. To help you out, we offer a free masterclass that will show you how to conduct an audit of your website. See if there are services you need to address by either anonymizing (ie: Google Ads and Google Analytics), or changing to a HIPAA-compliant option.
If you'd like some help navigating all of this, we can help! Mark Croft is our HIPAA-certified technology expert who can walk you through what you have running and what we can recommend to be sure your ads are not sending PHI to services like Meta and Google.