When it comes to user data on the web, privacy is a growing concern. There is nowhere this is more critical than in the healthcare sector, from major hospital groups to local healthcare providers, where HIPAA law comes into play.
What HHS has said about online tracking technologies
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a bulletin on the use of online tracking technologies by HIPAA covered entities and business associates.
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
The Office for Civil Rights (OCR)
In order to collect user data, a small piece of measurement code on your site, sometimes called a tag, is needed. When this code is implemented, it collects user behavior (i.e. a user visiting a webpage or filling out a form) and sends it to your analytics platform, such as Google Analytics, to then be analyzed and processed into reports. However, this can very easily lead to privacy concerns or violations in the healthcare sector.
What sort of PHI needs to be omitted from tracking?
Even on unauthenticated webpages, your website can be in violation of HIPAA if it gathers information that may contain PHI.
- A health assessment widget that gathers name, email, or any other identifiable information
- An appointment scheduling form that asks for identifiable information
Imagine a user is browsing a webpage about oncology and fills out an appointment form. If you use Google Analytics to track website behavior, when the form is submitted you are sending geographic data alongside PHI, which is most likely a violation if not tracked correctly.
Along with geographic data, there are other common dimensions and metrics that are tracked and sent to Google Analytics and Google Ads.
Examples of what CAN be safely collected:
- Aggregated pageview data (total visitors, pages per session)
- Anonymized user flow patterns
- Campaign performance metrics (conversion rates from marketing campaigns)
- Device categories and browser types (stripped of identifying details)
- General geographic data (country/region level, not specific locations)
- Time-based metrics (average session duration, peak usage times)
Examples of what CANNOT be collected:
- IP addresses
- Patient portal activity
- Form submissions containing health information
- Search queries containing medical conditions or symptoms
- Insurance information
- Appointment scheduling details
- Any URL parameters containing patient identifiers
The importance of a BAA for HIPAA compliance
Google Analytics does not allow data to be passed to Google that they may recognize as personally identifiable information (PII) and organizations must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. In other words, Google does not offer a Business Associate Agreement (BAA) which makes them non-compliant with HIPAA. Healthcare providers who work with third-party vendors to handle PHI must sign a BAA. Since Google doesn’t allow PHI-related data and refuses to sign a BAA, how can healthcare organizations utilize tracking technology?
How Pilot can help your healthcare organization remain HIPAA-compliant
There are solutions for healthcare providers and organizations who want to run a modern digital business with all the marketing tools necessary to optimize and grow—user analytics, conversion tracking for their Google Ads and Meta campaigns, etc.—while staying compliant and also getting the peace of mind of entering into a BAA. These are server-side privacy platforms which essentially act as a middle-man between the client—in this instance, the web browser—and an analytics platform like Google Analytics, Google Ads or Meta. Before any data is sent to the destination platform, all PHI is stripped out of events. This means the end data in your marketing platform is anonymized and free of PHI.
These platforms ensure that sensitive data from your website is never shared with tools that aren’t HIPAA-compliant. By using a BAA-supported platform like Freshpaint, we are able to help your healthcare organization collect website data without sharing PHI to your analytics platforms. Unlike other digital marketing companies, we have the unique advantage to harness web analytics for healthcare organizations while remaining HIPAA-compliant to help you grow your business.
Contact us today to learn more about how we can help your healthcare organization remain HIPAA-compliant.
