The healthcare industry is increasingly concerned about the improper use of third-party cookies, pixels, and other technologies to track patients—and for good reason. Patient privacy is foundational to the healthcare system, and the ramifications for tracking, even accidentally, are becoming clear.
In response, the Office of Civil Rights at the U.S. Department of Health and Human Services (HHS) has issued a bulletin detailing the regulatory expectations for HIPAA-Covered providers and business associates when employing these technologies. Healthcare companies must make sure their practices align with the guidelines to avoid legal repercussions, violations of HIPAA regulations, and potential consequences for patients.
At Hero Digital, we have analyzed analytics platforms to determine which are HIPAA compliant, from common software like Google Analytics and Adobe Analytics to companies that are less well-known. Each option has advantages and disadvantages, and healthcare companies must select one that best fits their unique needs.
But before we get to that, let’s discuss the cost of getting this wrong.
The Cost of Getting It Wrong
Failing to comply with the new HHS regulations on tracking patients can result in significant financial and reputational consequences for providers, as illustrated by recent class action lawsuits against Meta, formerly Facebook, and healthcare providers Advocate Aurora Health, WakeMed Health and Hospitals, and Northwestern Memorial Hospital.
These lawsuits are connected to the alleged unauthorized use of Meta’s data scraping tool, Pixel, on hospital websites and patient-facing portals, which may have led to the exposure of sensitive data. The complaint accuses the defendants of violating the Electronic Communications Privacy Act, the Stored Communications Act, and the Health Insurance Portability and Accountability Act (HIPPA).
Civil penalties for violating HIPPA alone range from $100 to $50,000 per violation, with total penalties reaching up to $1.5 million per year for multiple violations of the same provision. Noncompliance can also lead to major legal fees and remediation expenses, as organizations may need to engage legal counsel, conduct internal investigations, and implement corrective measures to address issues.
Not only that, a breach of PHI (Protected Health Information) can severely damage an organization’s reputation, leading to a loss of trust and potentially deterring patients from seeking care at the affected organization. This can result in a loss of business and revenue, negatively impacting an organization’s ability to form partnerships, secure funding, or engage in other activities that rely on trust and credibility within the healthcare industry.
To avoid these potentially devastating consequences, providers must ensure their use of tracking technologies complies with HIPAA rules. This includes implementing appropriate safeguards to protect PHI, entering into the right agreements with tracking technology vendors, and regularly reviewing and updating privacy and security practices to ensure ongoing compliance.
By taking these steps, organizations can mitigate the risks associated with noncompliance and maintain the trust of their patients, partners, and the public.
Weighing Your Options
Given the new regulation, providers should only work with third-party analytics vendors with proven track records of compliance with privacy regulations. Organizations should confirm that these vendors are committed to protecting PHI and have robust privacy and security measures in place.
But how do you do this? Organizations should check whether vendors have business associate agreements (BAAs) that guarantee compliance with HIPAA rules. Then, conduct regular audits and assessments to verify that these third-party vendors fully adhere to the established privacy and security standards.
By following these guidelines, healthcare providers can effectively use data analytics to improve patient care, optimize operations, and make informed decisions while remaining compliant with the latest HHS regulations. This balanced approach helps organizations navigate the new regulatory landscape and foster a culture of privacy and trust within the healthcare sector.
Now, let’s review two of the most common analytics solutions: Google and Adobe.
- Google Analytics is not recommended for most providers, as Google does not allow them to enter into a BAA, violating the regulations outlined in the HHS bulletin. Our Healthcare Tracking Compliance report suggests exploring alternative HIPAA-compliant platforms that enter into a BAA. For example, Freshpaint is a unique option that enables continued use of Google Analytics while ensuring HIPAA compliance through custom tracking.
- Adobe Analytics is not HIPAA compliant out of the box. However, Adobe offers HIPAA-ready services, such as Healthcare Shield, which includes a real-time customer data platform. These services come with additional costs and require a BAA between Adobe and the customer.
Plenty of secondary solutions, such as Mixpanel, Plausible, Freshpaint, and Piwik Pro, offer various features and levels of compliance. Mixpanel provides robust reporting and data visualization, while Plausible is an open-source, self-hosted option. Meanwhile, Freshpaint ensures HIPAA compliance across the entire tech stack and allows clients to continue using Google Analytics while Piwik Pro complies with all privacy regulations, including HIPAA, and offers various data storage options.
Whatever you choose, we recommend closely reviewing these solutions with your legal and compliance teams to determine the best fit for your organization.
3 Steps You Can Take Today
More than ever, healthcare companies must stay up to date on the changing rules and regulations surrounding data and HIPAA compliance.
Here are three steps an organization can take immediately:
- Ensure all PHI disclosures comply with privacy rules and adhere to the minimum necessary principle unless an exception applies.
- Get necessary permissions before disclosing PHI, including securing a signed HIPAA BAA with your tracking vendor or acquiring HIPAA-compliant authorization from the patient. Remember: a signed BAA and permissible purpose are still required even if the vendor does not store PHI or removes it before saving the data.
- Incorporate the tracking technologies into your HIPAA risk analysis and risk management process, and ensure that PHI is adequately secured when transmitted.
If an organization needs further consultation, agencies like Hero Digital can help implement tracking changes or full-scale implementations in collaboration with you and your legal teams. Healthcare companies should never have to navigate this complex and ever-shifting landscape alone. The better strategy? Being proactive about protecting patient data.
Nikki Maloney-Ballard
Nikki Maloney-Ballard is VP, Data & Insights at Hero Digital.