Medical data privacy is an important part of HIPAA data compliance. So, how do advertisers provide a tailored online experience without violating guidelines?

Healthcare Tracking in a Privacy-Centric World

HIPAA Data Compliance and Data Collection for Healthcare Providers

An infographic showing data privacy and user experience coexisting. Striking a balance between these two seemingly polar opposites in the realm of medical data privacy is critical for HIPAA data compliance.

The Situation

In today’s digital landscape, consumers expect two things that sometimes oppose each other: medical data privacy and a tailored and personalized user experience.

There have been growing concerns since 2022 about Google Analytics and the Meta Pixel and what they collect and share for advertising and tracking purposes without explicit consent from individuals. More recently, a bulletin was released reiterating that IP addresses are protected health information (PHI) and certain attributes being collected and used across digital platforms violate the terms of HIPAA. Under the new guidance, there are 18 identifiers that must be removed from the data set in order to be considered “de-identified” and ensure HIPAA data compliance.

An infographic outlining the next steps for HIPAA data compliance a healthcare provider should take. The infographic indicates “Meta Pixel Removal,” “GA4 Page Tracking on Sensitive Pages,” and “Suspend Google Analytics.”

Options for Consideration

  • Remove Meta Pixel and shift to optimizing Facebook/Instagram campaigns to maximize reach or clicks instead of conversions.
    • Infinity shifted to thinking of Facebook as an awareness tactic within the last year anyway due to other tracking limitations, so the biggest impact would simply be in evaluating YoY metrics.
  • Check in with legal/compliance/IT to establish baseline expectations and definitions for what is considered personal health information (PHI) or personally identifiable information (PII) within your organization and what will require a business associate agreement (BAA) or other documentation.
    • Identify what your organization’s risk threshold is based on the latest bulletin updates.
    • Follow the news, lawsuits, and additional bulletins.
    • Look at precedent as the best guidance.
  • Audit all existing platforms, tracking tags, scripts, and pixels across digital platforms and the tech landscape, and determine what is being collected and passed, to whom, and when.
    • Some may not be as obvious and require further situational discovery:
      • Heat mapping tools
      • QR code tracking strategies, including leveraging Bitly and other link-shortening services
      • Plug-ins on website
      • Web fonts that are not self-hosted
      • Google Maps or other map integration on a website
      • UTM parameters and/or tracking codes that feed into CRM systems
    • Despite not using an IP address in the same way as Universal Analytics did, take GA4 page tracking off all pages containing sensitive information (e.g., Find a Doctor, Location, Conditions or Service Lines, etc.)
    • Turn off any retargeting campaign efforts that take into account IP addresses and specific behaviors on a designated landing page or URL.
    • Suspend all Google Analytics universal and event tracking in Google Tag Manager.

Alt Text: An infographic displaying a person using a computer, using an app, and then visiting their healthcare provider. The theme of the image is that using tailored information without violating HIPAA data compliance can lead to a better overall user experience.

Analysis

Healthcare organizations should carefully consider all the ways PHI may be used, disclosed, and accessed. The use – whether inadvertently or purposefully – of Google Analytics and Meta Pixel has highlighted the need for organizations to think beyond the routine and usual and consider innovative ways to synthesize data privacy and medical records.

While HIPAA-covered entities and associated non-covered vendors have control over how they use and disclose information, they may determine there is an organizational need to utilize tracking services that could make certain web-based experiences easier or more efficient for patients, prospective patients, or the organization itself. For example, it could be determined that the use of tracking technology supports consumer experience and helps encourage the scheduling of preventive care. This would need to be determined on a case-by-case basis.

Health systems can still advertise in the digital space but need to be cautious with how prospective and current patients are engaging and interacting with the brand and the technology that is being used internally and by third parties. This is a very fluid and evolving situation, so health systems and agencies must be ready to make decisions and quick pivots as more comes to light. There is no one-size-fits-all or cookie-cutter solution – each health system needs to make the best decision based on the information they have and the level of risk the team is comfortable with.

  • Modify this tracking technology with either a companion platform to filter out PHI before sharing with Google Analytics or a separate platform willing to sign a BAA.
  • Suspend all digital campaign conversion tracking so that conversion data is not being sent to the platforms
    • Stop any automated optimizations that are happening for digital campaigns across platforms.
      OR
      Execute a server-side implementation of GA4 where GTM tags run through an internally owned server before any data is shared with Google and is HIPAA compliant.

It is in every health system’s best interest to assume everyone going to their website is a patient or will be at some point. Therefore, any data point paired with an IP address could be a high-risk personal identifier. The governing bodies that instituted this new guidance are arbitrarily holding covered and non-covered entities accountable and liable for HIPAA data compliance issues and applying fines despite many gray areas. The safe place to be is putting these initial assumptions into practice and not waiting for future guidance.

This all underscores the importance of partnering with a marketing agency with robust analytics tracking and an eye for details. If you’d like to discuss the implications of these changes or need help determining the best course of action for your organization, contact us! At Infinity, we’ve got the experience and expertise to help guide you in the complex and ever-changing world of digital marketing.

Get in Touch


Whether you're ready to start a new project or just want to chat, we'd love to hear from you.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
All Posts