On December 1, 2022, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) issued a bulletin stating that the use of third-party cookies, pixels, and other tracking technology by healthcare companies may be violating the Health Insurance Portability and Accountability Act (HIPAA). This is in the wake of a year of unprecedented data breaches involving business associates, or third-party vendors, throughout the healthcare industry.
2022 saw over 700 healthcare data breaches impacting more than 50 million individuals. And nearly a third of the ten most significant breaches were due to third-party tracking pixels from companies like Google and Meta (Facebook). While Google and Meta help companies understand their website and other owned properties’ usage, users of the platform have inadvertently also exposed data ranging from personally identifiable information such as Social Security numbers, driver’s license numbers, and financial account information to medical record numbers, insurance account numbers, and more.
Such breaches come with hefty financial penalties, including fines, settlements, and other repercussions for the entities involved. But a more significant impact is felt by the consumer whose data has been compromised, as stolen personal information can result in identity theft. And recovery from identity theft is often a long and burdensome process.
Up until last December when HHS issued its bulletin, it had not provided formal guidelines regarding sensitive healthcare data and HIPAA relative to online tracking technologies. So what does this announcement mean and how can healthcare organizations stay HIPAA compliant?
What do the HHS changes mean for healthcare organizations?
A good starting point is an understanding of the technologies involved and the risks they pose. The HHS announcement specifically speaks to tracking technologies, often third-party, which are generally anonymized. Tracking cookies, specifically pixels, are tiny bits of embedded code used to track a site visitor’s online activity. The data collected from the pixels provides insights that allow the site owner to develop marketing strategies, such as on-site personalized experiences and off-site retargeting campaigns, specific to each site visitor’s behaviors and interactions.
The problem? Many healthcare organizations are using third-party pixels to gain a better understanding of how they can optimize the digital experiences within their public-facing websites and patient portals. And these pixels may be sharing protected health information (PHI) inadvertently with third parties. Most often, the concern lies with pixels on the patient portal, a secure website or application where patients can access and interact with their health data. But PHI can also be collected from the public website and mobile apps in the form of cookies, web beacons, fingerprinting scripts, and other scripts.
So what constitutes PHI?
Protected health information is any information related to an individual’s past, present, or future health, healthcare, or payment for healthcare. This includes, but is not limited to:
- Medical records, be they physical, electronic, or spoken
- Information pertaining to billing, insurance, or of any financial aspect of an individual’s health or healthcare
- Demographic information
- Mental health conditions
- Tests and laboratory results
- All information related to an individual’s diagnosis, treatment, or prognosis
- Anonymous session user ID
As of December 1, 2022, anonymous session user ID is considered PHI.
Anonymous user identification allows the website to anonymously identify unique site visitors without the user having to log in or consent to a tracking cookie. Anonymous sessions are captured and aggregated and can include data such as (but not limited to) the user’s IP address, geographic location, language, device, and mobile carrier, but is generally, as the name suggests, anonymous. However, HHS has deemed that these data points connect the individual to the entity and therefore can be related to the individual’s past, present, or future health, healthcare, or payment for healthcare.
The addition of anonymous session user ID considered as PHI now adds additional complexity to an already confusing data security landscape. Furthermore, in order to protect themselves and their patients, the onus is on healthcare providers to ensure they and their partners are not improperly using tracking technology on the healthcare provider’s digital properties, mobile apps, etc.
How can healthcare organizations keep web analytics HIPAA compliant?
As there is no easy website or mobile app consent solution, it is best to develop a compliant strategy that will protect both the healthcare organization and its consumers. Developing a compliant strategy requires engaging all departments (marketing, marketing analytics, legal, IT, etc.) and ensuring organizational alignment around it. This starts with examining your current analytics tech stack to determine if it meets both the organization’s needs and HHS requirements.
Is Google Analytics HIPAA compliant?
Over 28 million websites worldwide currently use Google Analytics, over four million of which are in the United States. Of all U.S. industries that use Google Analytics, hospital and healthcare companies are the third most prevalent. Google Analytics isn’t the only option for tracking website data, but it has the largest market share, and for good reason. It is robust and intuitive. But Google Analytics has also faced challenges, having been banned in a few European countries due to General Data Protection Regulations (GDPR) violations. Google did take steps toward addressing the European Union’s GDPR requirements with its recent release of GA4.
So, does Google Analytics meet the new requirements outlined in the HHS bulletin? The simple answer is no. In basic and 360 configurations, GA3 and GA4 no longer meet the HHS compliance requirements. This is primarily due to specific attributes of the data sets, specifically the session and user ID dimensions.
As a result, healthcare companies are expediting their searches for alternative platforms that will provide organizations with the information they need to measure their digital customer experiences and — more importantly — store that data securely.
What are the best next steps toward achieving compliance?
The first step is to identify and outline requirements for a cohesive transition to a new, compliant platform. The most important of these requirements is a HIPAA-compliant analytics platform provider, one that will be covered under a Business Associates Agreement (BAA). The good news is there are a handful of platforms available that fit this important need.
Additionally, all businesses are unique and have priorities that must be considered when planning a transition to a new analytics platform. Some examples of priorities might include ease of implementation, tag management capabilities, user limits, integrations with other Google products, and interface complexity, among other things.
Once requirements have been prioritized across internal teams, analytics owners will be able to guide a best-fit decision.
Whether your organization has been using Universal Analytics for years or you have recently migrated to GA4, Tallwave can help you organize around your requirements, gain internal alignment, and provide expertise on next best options all the way through the implementation and reporting transition. Reach out when you’re ready to learn more.