However, a recent Health and Human Services bulletin created a nightmare for marketers across the health provider space, as it added some new context to the 1996 law regarding third-party trackers. If you want a quick summary, it goes like this…the release doubled down on the requirements that healthcare companies must comply with because third-party tracking technologies disclose PHI.
The bulletin tackles three major concepts:
- Tracking on webpages
- Tracking on mobile devices
- HIPAA compliance requirements for regulated entities that use third-party trackers
In many ways, the ruling makes total sense – feel free to watch our video for more context, or just keep reading for the summary.
The Problem with Google Analytics and HIPAA
There has never been more concern about the fragile balance between compliance and digital marketing tactics in the healthcare and life sciences industry. Because of ongoing class action lawsuits, the December bulletin from the HHS has sent healthcare marketers and compliance teams scrambling to mitigate the risk.
According to the bulletin, data like email and IP addresses may actually be considered PHI. Of course, sending PHI to any entity could be a violation of the HIPAA rule if:
- You don’t have a signed BAA
- The patient didn’t consent to disclosure
- The PHI isn’t de-identified
Given that technologies like Google Analytics typically won’t sign a BAA, most users aren’t consenting to disclosure, and PHI is generally not de-identified, many providers currently using the technology may be in violation of HIPAA.
A Case Study
Let’s say Google Analytics tracks a user on a healthcare website across webpages related to cancer prevention, and then generates an event for a form submission requesting a colonoscopy.
If Google pairs that user’s self-reported healthcare needs with an IP address that identifies the specific person, that constitutes a violation of HIPAA laws.
This dilemma leaves healthcare marketers in a pickle. On one hand, they need robust analytics to identify their most successful marketing strategies. On the other, they face debilitating fines for non-compliance.
In the meantime, many have removed GA from their digital properties, while others have stopped digital advertising altogether.
Original Penrod research indicates that just under 6,000 US-based providers dropped Google Analytics since December of last year.
However, others aren’t taking the HHS guidance as seriously – we’ve determined that just over 100,000 providers are potentially using Google Analytics in a manner that violates HIPAA.
Let’s dive into some solutions to the Google Analytics for healthcare HIPAA-compliance problem.
Potential Solutions
Here at Penrod, we’ve developed a couple of solutions that allow healthcare companies to remain fully HIPAA compliant while leveraging the power of Google Analytics, or an equally powerful platform.
Let’s dive in.
Replacement
The first solution we’ve come up with completely replaces Google Analytics with Marketing Cloud Personalization, a platform made by Salesforce.
Marketing Cloud secures sensitive PHI, tracks patient behavior analytics, and personalizes digital experiences in real-time.
The good news is because it’s possible to sign a BAA with Salesforce, they are able to provide services to covered entities – and handle PHI with compliance and integrity.
One potential downside to migrating analytics platforms is the loss of historical data. This could be an unacceptable cost to certain healthcare organizations with significant amounts of user data.
Our second solution avoids this entirely.
Server-Side Container
The second solution we’ve come up with relies on a secure server-side container that reduces the amount of retagging you need to do on your website.
In this example, we set up the Google server-side tag manager component on either the Google Cloud platform or a local server.
The server-side component de-identifies PHI by making an API call to Data Cloud. The server-side task manager also has an ingestion API connector that ingests the data into Salesforce Data Cloud. This allows our customers to re-identify the encrypted data.
Our Final Take
Healthcare marketers need more robust tools than ever to make smart marketing decisions. Fortunately, you no longer have to sacrifice marketing power to remain HIPAA compliant.
Make compliance concerns a thing of the past.
If you’re concerned about HIPAA compliance and retaining the power of your digital marketing efforts, please schedule a complimentary consultation. We’ll be able to assess your compliance challenges and see if our solutions are the right fit for you.