What the Latest HSS Bulletin Means for Your MarTech Stack
A few months ago, suits filed against Meta and several hospitals brought user privacy to the forefront once more. As a quick recap, it was discovered that the Meta Pixel captured more user data than expected. An investigation found that some patient health conditions, doctor appointments, and even allergies were sent to Facebook.
The US Department of Health and Human Services later issued a bulletin in the final weeks of 2022 further outlining the responsibilities of HIPAA Covered Entities and Business Associates. The document specifically addresses tracking technologies and their collection of Protected Health Information (PHI) - this includes everything from website analytics to marketing pixels, session replay scripts, and more.
How can healthcare providers market their services or gain insight into how visitors engage with their content? Fortunately, the bulletin does provide a few scenarios to provide guidance around such efforts.
What’s In the Bulletin?
According to the bulletin, tracking technologies collect and analyze information about how users interact with regulated entities’ websites or mobile applications (“apps”). HIPAA rules apply when these tracking technologies collect PHI. The bulletin summarizes website tracking technologies, which include all cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. It also identifies app tracking technologies such as a device ID or advertising ID.
HIPAA rules apply when any individually identifiable health information (IIHI) is provided by a user of a website or app. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code.
While it is noted when PHI can be tracked and reported to business associates, we do not recommend attempting to do so with any marketing pixel or similar service.
Collection by Context
These are pages not accessible to just anyone searching the web and require a visitor to enter a username and password to view. Some examples of these types of pages include patient portals, health plan details, and telehealth platforms. Generally speaking, these pages will contain information directly related to the visitor who logged-in to access the content - whether it's available on the page itself or the DOM. Because of this, these pages may contain PII or PHI.
Seer recommends collecting only anonymous data from authenticated pages or in a worst-case scenario, these pages can be left untracked.
Unauthenticated, Public Webpages
This is where the waters get murky. When we say unauthenticated pages, we mean pages most likely accessible by anyone visiting the site or even search engines. It's not very likely that these pages include PHI, so the entity can track as usual without concern of the HIPAA rules.
However, problems begin to arise when certain content is associated with PII. For instance, if someone visits a page to learn more about a particular ailment or to find out the hours of a clinic and you have knowledge of their name or IP address, you’re now inadvertently collecting PHI.
Public web pages will generally be safe to track. But if you want to ensure you’re compliant, Seer recommends excluding tracking on pages that could be used to associate any health information with an individual. This includes pages for scheduling visits to a particular type of clinic or forms that would include PHI. While a form submission event wouldn’t constitute PHI, a specific type of form or the fields within could contain such information.
Mobile applications owned by a HIPAA regulated entity are subject to the same rules. This extends to any third-party developer managing the app and vendor that would have access to PHI (learn more about the 18 HIPAA identifiers).
If the app is not owned by a regulated entity, it is not subject to HIPAA - even if someone ends up adding their health information into it. There are other laws and regulations that will likely apply in such instances though.
Is Google Analytics HIPAA Compliant?
Short answer: no, not out of the box. Google takes privacy very seriously and its policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII). But, Google has made it clear that they are not looking to provide a HIPAA-compliant analytics product.
If you’re adhering to Google’s guidance, you are likely within the bounds of compliance. Yet, there are several considerations and steps that you can take to safeguard your organization from potential violations.
The following recommendations do not constitute HIPAA compliance, but rather serve to provide guidance on steps that can be taken to minimize the collection of PII and PHI.
Steps You Can Take Today to Remain Compliant
- Disable the collection of granular location data
- Do not automatically detect user-provided data
- Anonymize IP addresses (UA only)
- Remove any URLs or Page Titles that may contain PHI
- Ensure form tracking does not capture PHI
- Review (or remove) marketing pixels
What Does This Mean For Healthcare Providers Going Forward?
Compliance standards for HIPAA and the definition and rules for handling PII and PHI are still evolving. But one thing is clear, maintaining proper security practices for user data and avoiding the capture of PHI in tracking tools are paramount.
Disclaimer: Seer Interactive makes no claims to provide legal advice. Interpretations of HIPAA law compliance and PHI (Protected Health Information) are complex. This document outlines Seer’s Point of View and actions to consider that you should review against your business, goals, and legal risks. We strongly recommend you review your specific use cases with your own legal counsel and data engineering teams.
If you are concerned about your current analytics and marketing stack, reach out to Seer today to see how we can help keep your data compliant and your patient’s information safe.