Healthcare Web Analytics in 2023: Get Your Data In Order

On December 1, 2022, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) issued a bulletin stating that the use of third-party cookies, pixels, and other tracking technology by healthcare companies may be violating the Health Insurance Portability and Accountability Act (HIPAA). This is in the wake of a year of unprecedented data breaches involving business associates, or third-party vendors, throughout the healthcare industry. 

Bar chart showing a steep increase in healthcare data breaches since 2016

2022 saw over 700 healthcare data breaches impacting more than 50 million individuals. And nearly a third of the ten most significant breaches were due to third-party tracking pixels from companies like Google and Meta (Facebook). While Google and Meta help companies understand their website and other owned properties’ usage, users of the platform have inadvertently also exposed data ranging from personally identifiable information such as Social Security numbers, driver’s license numbers, and financial account information to medical record numbers, insurance account numbers, and more.

Chart showing healthcare analytics data breaches by entity

Such breaches come with hefty financial penalties, including fines, settlements, and other repercussions for the entities involved. But a more significant impact is felt by the consumer whose data has been compromised, as stolen personal information can result in identity theft. And recovery from identity theft is often a long and burdensome process.  

Graph showing a steep increase in the number of individuals impacted by healthcare analytics breaches since 2016

Up until last December when HHS issued its bulletin, it had not provided formal guidelines regarding sensitive healthcare data and HIPAA relative to online tracking technologies. So what does this announcement mean and how can healthcare organizations stay HIPAA compliant?

What do the HHS changes mean for healthcare organizations?

A good starting point is an understanding of the technologies involved and the risks they pose. The HHS announcement specifically speaks to tracking technologies, often third-party, which are generally anonymized. Tracking cookies, specifically pixels, are tiny bits of embedded code used to track a site visitor’s online activity. The data collected from the pixels provides insights that allow the site owner to develop marketing strategies, such as on-site personalized experiences and off-site retargeting campaigns, specific to each site visitor’s behaviors and interactions.

The problem? Many healthcare organizations are using third-party pixels to gain a better understanding of how they can optimize the digital experiences within their public-facing websites and patient portals. And these pixels may be sharing protected health information (PHI) inadvertently with third parties. Most often, the concern lies with pixels on the patient portal, a secure website or application where patients can access and interact with their health data. But PHI can also be collected from the public website and mobile apps in the form of cookies, web beacons, fingerprinting scripts, and other scripts. 

So what constitutes PHI? 

Protected health information is any information related to an individual’s past, present, or future health, healthcare, or payment for healthcare. This includes, but is not limited to:

  • Medical records, be they physical, electronic, or spoken
  • Information pertaining to billing, insurance, or of any financial aspect of an individual’s health or healthcare
  • Demographic information
  • Mental health conditions
  • Tests and laboratory results 
  • All information related to an individual’s diagnosis, treatment, or prognosis
  • Anonymous session user ID

As of December 1, 2022, anonymous session user ID is considered PHI.

Anonymous user identification allows the website to anonymously identify unique site visitors without the user having to log in or consent to a tracking cookie. Anonymous sessions are captured and aggregated and can include data such as (but not limited to) the user’s IP address, geographic location, language, device, and mobile carrier, but is generally, as the name suggests, anonymous. However, HHS has deemed that these data points connect the individual to the entity and therefore can be related to the individual’s past, present, or future health, healthcare, or payment for healthcare.

The addition of anonymous session user ID considered as PHI now adds additional complexity to an already confusing data security landscape. Furthermore, in order to protect themselves and their patients, the onus is on healthcare providers to ensure they and their partners are not improperly using tracking technology on the healthcare provider’s digital properties, mobile apps, etc.

How can healthcare organizations keep web analytics HIPAA compliant?

As there is no easy website or mobile app consent solution, it is best to develop a compliant strategy that will protect both the healthcare organization and its consumers. Developing a compliant strategy requires engaging all departments (marketing, marketing analytics, legal, IT, etc.) and ensuring organizational alignment around it. This starts with examining your current analytics tech stack to determine if it meets both the organization’s needs and HHS requirements.

Is Google Analytics HIPAA compliant?

Over 28 million websites worldwide currently use Google Analytics, over four million of which are in the United States. Of all U.S. industries that use Google Analytics, hospital and healthcare companies are the third most prevalent. Google Analytics isn’t the only option for tracking website data, but it has the largest market share, and for good reason. It is robust and intuitive. But Google Analytics has also faced challenges, having been banned in a few European countries due to General Data Protection Regulations (GDPR) violations. Google did take steps toward addressing the European Union’s GDPR requirements with its recent release of GA4.

So, does Google Analytics meet the new requirements outlined in the HHS bulletin? The simple answer is no. In basic and 360 configurations, GA3 and GA4 no longer meet the HHS compliance requirements. This is primarily due to specific attributes of the data sets, specifically the session and user ID dimensions. 

As a result, healthcare companies are expediting their searches for alternative platforms that will provide organizations with the information they need to measure their digital customer experiences and — more importantly — store that data securely.

After the Universal Analytics sunset on July 1, 2023, you will have a minimum of six months to access your previously processed data. Are you ready to transition to GA4?

What are the best next steps toward achieving compliance?

The first step is to identify and outline requirements for a cohesive transition to a new, compliant platform. The most important of these requirements is a HIPAA-compliant analytics platform provider, one that will be covered under a Business Associates Agreement (BAA). The good news is there are a handful of platforms available that fit this important need. 

Additionally, all businesses are unique and have priorities that must be considered when planning a transition to a new analytics platform. Some examples of priorities might include ease of implementation, tag management capabilities, user limits, integrations with other Google products, and interface complexity, among other things. 

Once requirements have been prioritized across internal teams, analytics owners will be able to guide a best-fit decision.

Whether your organization has been using Universal Analytics for years or you have recently migrated to GA4, Tallwave can help you organize around your requirements, gain internal alignment, and provide expertise on next best options all the way through the implementation and reporting transition. Reach out when you’re ready to learn more.


Prepare, Survive, Thrive: CX Strategies to Recession-Proof Your Business

But is This a True Recession?

That depends on your school of thought. Generally, a recession is a period of economic decline in which the gross domestic product (GDP) of a country falls for two consecutive quarters. However, there are many other factors to consider. Check out our white paper for more detailed information on recessions and recession-proofing strategies.


Though there is much academic debate around whether we’re technically in a recession or not, consumers are wary, and once again discretionary spending is trending down. As a general guideline, the National Bureau of Economic Research states that a recession lasts around 11 months on average, but the effects can be felt long after it has officially ended. So whether this economic downturn is a recession or a harbinger of one to come, savvy business leaders are positioning their companies to adapt so they can strategically navigate this challenging market.

Proven Recession Resilience Strategies

We’ve been here before. The recession brought on by the dot-com crash negatively affected a generation of investors, and though it was shorter-lived, it left a lasting impact. Most recently, the Great Recession of 2007-09. And though many businesses faced insurmountable challenges, others thrived. Here’s a look at some strategies leveraged by a few companies that came out stronger in the end.

Invest in Empathy

At the start of the Great Recession, Starbucks was struggling. The former king of coffee closed hundreds of stores, laid off thousands of employees, and was saddled with a pretentious image that alienated it in a time of financial insecurity. In 2008, under new (returning) CEO leadership, Starbucks immediately shifted focus to reignite the emotional attachment with its customers.

Starbucks developed a social program where customers could share ideas with each other and the company, giving input on products, services, in-store music and layout, and even corporate social responsibility. And Starbucks leadership listened—they implemented over 100 of their customer’s ideas! One of the first corporations to invest in a mobile app, Starbucks met its customers where they were, reigniting the brand by reestablishing trust, building a vibrant online community, and developing a devoted following.

Double Down on Brand

On the brink of disaster in 2008, Citigroup did an about-face, pivoting from a product-centered strategy to a client-first focus. Citigroup’s vision, mission, and strategic objectives became its driving force. It invested in understanding its individual customers, focusing on segments within each generation and catering to their diverse needs. Citigroup developed technology to measure customer feedback, allowing the bank to react and improve trust. It launched and maintained a social network presence that directly enhanced its brand image. The banking giant invested in its people, training and promoting top talent. Additionally, Citigroup segmented its products and services and operationalized a similar strategy for corporate, government, and business customers.

Since its near destruction in the Great Recession, Citigroup has focused on rebuilding its reputation and its been successful. The company continues to rank very highly in customer satisfaction, according to J.D. Power, American Customer Satisfaction Index, and their steadily improving Net Promoter Score.

Market Smarter

Facing many challenges leading up to the Great Recession, Netflix invested in research and development and strategic marketing to not only survive the recession but thrive in it. Netflix was going up against Blockbuster and Redbox in the physical DVD rental space and struggling to win market share. But when consumer spending sharply dropped, Netflix not only doubled down on its convenient mail-order model of movie rental but, having taken note of the role played by video game consoles and the all-new Smart TV, it pioneered an alternative method of media consumption: online streaming offered at a price lower than that of cable and satellite providers. Through strategic partnerships, Netflix targeted consumers with gaming platforms, streaming devices, and Smart TVs to promote a low-cost, no-late-fee, convenient, in-home entertainment option. Exactly what the budget-conscious consumer wanted.

Netflix has continued to be a leader in data- and customer-driven integrated marketing, creating a seamless, personalized experience for its users across all demographic groups. It continually optimizes the user experience based on user preferences to actively engage customers, not only enhancing their experience, but informing Netflix’s user data so it can continue to effectively personalize its customers’ experiences.

Increase Operational Efficiency

When economic crises hit, simply lowering headcount and reducing costs across your budget can help in the short term. But the most resilient and top-performing companies to emerge from the Great Recession focused their energies on improving operational efficiency. This strategy not only helped businesses survive the recession but succeed beyond the economic downturn by maintaining their momentum. After the dot-com bubble burst, devastating the tech sector, Target took a daring but well-calculated approach. During the recession, Target drastically improved productivity and supply chain operations through strategic partnerships. Additionally, it increased its marketing and sales spend, ramped up investment in credit card programs, opened more stores, and grew its internet business. And these measures paid off handsomely. Over the course of the recession, Target saw increased sales and profits that lasted well after the economy righted itself.

Target continues to invest in operational efficiency. In 2020, coming out of a record-breaking year, Target invested heavily in fulfillment services and supply chain to reduce friction points and scale capabilities. Additionally, and equally important, Target continues to invest in technology to provide customers with a more personalized and streamlined experience, increasing loyalty and driving growth.

Recession-Proofing Recommendations and Approaches

While many businesses failed in past recessions and economic downturns, the businesses featured above show that investment in resilience strategies can help companies both navigate challenging markets and carry the benefits of those investments into the future. Understanding and optimizing your customers’ experiences, strategically marketing your products and services, defining and refining your brand, and increasing operational efficiencies are solid strategies to drive customer acquisition and loyalty, increase market share, and drive growth.

Economists have predicted a 40-70% probability of a global recession in the next 18 months. While there is uncertainty regarding when, to what degree, or even if we will enter a true recession, looming economic uncertainty poses many of the same challenges.

What Other Business Leaders Are Doing to Prepare

We spoke with partners and business leaders across multiple industries to find out how they’re preparing for a potential recession—what they’re doing to protect their businesses and, where possible, gain an advantage over their competitors. Read our in-depth report Recession Proof Your Business: CX Strategies for Recession Resilience for valuable insights, expert opinions, and strategic approaches on how to prepare your business to not only survive but thrive in a challenging economic environment.

Ready to Increase Your Business’s Recession Resilience?

There are a lot of questions surrounding the current economic environment, and whether or not we are technically in a recession or one is on the horizon, investment in a strong CX strategy will help position your business to withstand challenging economic conditions. Ready to learn more? Let’s chat!


Play Video

Bunger Steel

Doing some things and making some impacts