Penrod Blog

Patient Privacy in 2024

What Providers in the United States Need to Know

Written by Matt Fiel

Ensuring patient privacy compliance is a constantly evolving challenge. Innovative technologies, evolving tech standards, and a dynamic regulatory landscape mean that healthcare providers, especially those operating across multiple states, will find it difficult to keep pace.

Furthermore, in 2024 providers must diligently adhere to the obligations set forth by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, pertaining to tracking technologies like Google Analytics and relevant state privacy laws. Additionally, they must proactively future-proof their organizations against imminent federal and state legislation.

To navigate the complex realm of patient privacy, here's what providers need to know for 2024.

Consumer with smart phone

Tracking Technologies and HIPAA

OCR Guidelines

In December 2022, OCR issued a Bulletin outlining health providers’ HIPAA obligations. An important aspect of this overview emphasizes that providers are not allowed to use tracking technologies in a way that would reveal Protected Health Information (PHI) in a manner inconsistent with HIPAA’s privacy standards. Additionally, even individuals or entities not subject to HIPAA are expected to safeguard PHI in accordance with the FTC Act and the FTC Breach Notification Rule.

While this Bulletin was issued at the end of 2022, OCR and the FTC jointly issued a letter to over 130 companies in mid-2023 to notify them of these obligations, drawing widespread notice within the healthcare industry and broader business community.

Non-Compliance Letter from the OCR

What the Guidelines Mean

In practical terms, OCR (Optical Character Recognition) essentially determines that certain data collected, transferred, and stored by tracking technologies falls under the category of electronic Protected Health Information (ePHI) as defined by HIPAA (Health Insurance Portability and Accountability Act). While these platforms may not gather test results, information such as email addresses and IP addresses can be considered ePHI when linked to medical data.

Additionally, OCR specifies that when a healthcare entity subject to HIPAA collects such information, like when a potential patient seeks services in their area, that data is classified as Protected Health Information (PHI). However, as this data is inherently shared with Google employees without direct consumer consent and stored in Google’s undisclosed locations, healthcare providers who use Google Analytics are not in compliance with their privacy obligations under HIPAA.

In fact, Google Analytics explicitly states in its Terms of Service that it is not HIPAA compliant and should not be used to collect any information that falls under the definition of PHI according to HIPAA.

Google Analytics is Not HIPAA Compliant

Ongoing Litigation

The American Hospital Association is urging Congress to reconsider this rule, arguing that the definition of PHI in this context is too broad and negatively impacts the quality of healthcare services. Additionally, this rule has implications for the utilization of mapping and location technologies that assist the public in identifying the nearest and most optimal services available.

However, despite these concerns, the current obligations remain in effect and healthcare providers must adhere to them. Consequently, covered providers and business associates under HIPAA are hesitant to use platforms like Google Analytics, Meta Pixel, or Google Ads that collect PHI.


Providers now have the ability to leverage Google Analytics without disclosing any PHI.

By anonymizing IP addresses, avoiding the storage of visitor IDs, refraining from tracking GPS information, and disabling third-party scripts that track PHI, among other methods, you can ensure compliance. Handling PHI requires thoroughness, as violations can result in significant fines, reaching up to five figures per incident.

State Patient Privacy Laws in 2024

Healthcare providers, as well as business associates under HIPAA, are likely familiar with state laws concerning patient privacy. In recent years, California, Colorado, Connecticut, and Virginia have implemented data privacy laws that have implications for the use of PHI. It is worth noting that the Utah Consumer Privacy Act will come into effect on December 31, 2023. This legislation applies to organizations with a gross revenue of $25 million or more that process data from 100,000 consumers.

For organizations that primarily generate revenue from selling data, the data processing threshold is set at just 25,000 consumers. It is important to mention that HIPAA-covered entities are exempted from this state law.

In addition to these states, several more have privacy laws set to go into effect in 2024.

  • Florida: The Florida Digital Bill of Rights, which takes effect July 1, 2024, has a fairly high threshold for the businesses it covers. Covered businesses must make $1 billion or more and either make more than 50 percent of their revenue from selling data, operate an app store with at least 250,000 apps, or operate a voice-activated virtual assistance service tied to a cloud computing system.
  • Montana: In contrast, the Consumer Data Privacy Act in Montana imposes a relatively low threshold for organizations that fall under its scope. These organizations are required to process data from 50,000 or more consumers, and this threshold is further reduced to 25,000 if the organization generates at least a quarter of its revenue from selling data. The effective date for this act is October 1, 2024.
  • Oregon: The Oregon Consumer Privacy Act applies to organizations that handle data from a minimum of 100,000 consumers, or 25,000 or more if the organization generates a quarter of its revenue from selling such data. This legislation will come into effect on July 1, 2024.
  • Texas: The Texas Data Privacy and Security Act covers all businesses except those defined as small businesses by the U.S. Small Business Administration. Like Florida’s and Oregon’s laws, it takes effect July 1.
  • Washington: The State of Washington My Health My Data Act will be effective March 31, 2024. It specifically pertains to organizations that store, collect, and transfer health data.

Every law includes a provision for HIPAA-covered entities, yet providers may still violate state laws if they engage third-party vendors who handle PHI (Protected Health Information) but do not meet the criteria of a business associate under HIPAA.

Is the United States Moving Towards a Federal Data Privacy Act?

As data privacy laws currently stand, they are a complex mix of federal and state regulations, often specific to different industries. Recognizing the need for a comprehensive federal data privacy law, Congress introduced a bipartisan bill called the American Data Privacy and Protection Act (ADPPA) in 2022. Although it gained some traction, it ultimately failed to pass before the legislative session ended. However, there is a possibility that it may be reintroduced in 2024. Notably, ADPPA aims to regulate the use of health data collected by companies not covered by HIPAA, such as those that sell fitness trackers.

Even if ADPPA does not move forward in the 118th Congress, it is possible that certain data privacy changes may still be implemented through the Data Privacy Act of 2023. This bill seeks to update the provisions of the Gramm-Leach-Bliley Act to ensure its alignment with new technology standards. Additionally, the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act is another bill worth mentioning, particularly for healthcare providers. It specifically addresses the collection of health data by entities not covered by HIPAA and imposes restrictions on its usage without user consent.

Ensuring Compliance

These potential laws are merely the beginning of a much larger issue. By 2025, Iowa, Tennessee, and Indiana will have enacted data privacy laws, with many other states actively working on their own versions. As technology continues to advance, new applications for protected health information (PHI) will arise that current laws have not yet addressed. Meanwhile, legal challenges will shape the future of how providers and businesses approach data privacy.

Staying compliant with this ever-changing legal and regulatory landscape is crucial. It’s equally important for your organization to be prepared for compliance. Transitioning from paper to electronic data collection may already be underway in various areas of your organization. However, you must ensure that your data collection, storage, and transfer processes meet HIPAA standards, ensuring security, operational efficiency, and a seamless experience for consumers.

While implementing this level of digital transformation may present challenges for providers, it is essential for delivering high-quality healthcare in the digital age.

About The Author

Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to Get Started?

We take Salesforce Managed Services to the next level.

Click the button on the right to learn more.