When it comes to web analytics, Google Analytics is king. Widespread adoption stems from its ability to track user behavior, measure conversions, and assess website performance. Like many other healthcare companies, Google Analytics drove our client's marketing strategies.
In late 2022, the OCR bulletin sent shockwaves through the industry. The OCR's directive stated that PHI could not be transmitted to third-party technologies without a Business Associate Agreement (BAA).
Given Google Analytics' refusal to sign such agreements, our client's tolerance for risk was pitted against their marketing team's prominent use of Google Analytics.
Complying with the OCR's strict rules around non-BAA third party trackers
Penrod's HIPAA-compliant tracking solution built on the power, flexibility, and security of Salesforce
OCR compliance in 3 weeks
The dilemma boiled down to interpretation from a legal and marketing standpoint. Legal sought to mitigate any risk of non-compliance, while the marketing team was adamant that removing Google Analytics would dismantle a core element of their digital marketing efforts.
Penrod aimed to strike balance between a legal team dedicated to risk mitigation, and a marketing team reliant on Google Analytics for analyzing behaviors, improving experiences, and measuring results. Penrod's solution relied on three components – a secure server-side container to process data, a data redaction engine, and a customer data platform.
First, our client needed a secure environment to process, redact, and control PHI. Penrod leveraged Google Cloud Platform (GCP) based on two advantages – GCP signs BAAs, GCP seamlessly integrates with Google Tag Manager, and GCP is a Google platform.
Penrod's HIPAA compliant web tracking solution uses a redaction engine built on opt-in logic. By default, the system blocks the transmission of PHI to Google Analytics, while anonymizing identifiers such as IP addresses or device IDs using a secure hashing algorithm. This meets the OCRs requirement of keeping PHI separate from user identifiers.
Our client's marketing team feared that compliance with the OCR bulletin would severely impact the marketing's capabilities to track campaign performance. Penrod put those fears to rest by integrating Salesforce Data Cloud into the solution, a state-of-the-art customer data platform (CDP).
Universal Visitor Profiles
After signing a BAA with Data Cloud, our client was able to send raw visitor data into the platform. This means that all visitor information is stored in a HIPAA-compliant customer data platform (CDP). Based on a universal identifier, hashed data in Google Analytics can be re-identified in the CDP, allowing our client to create unified profiles based on data from across their healthcare tech stack.
Configuration Logic
Data Cloud also server as a configuration engine for the opt-in redaction engine. Through a simple user interface, users select which parameters are safe for Google Analytics – and which should be redacted, hashed, or removed entirely.
This ensures the solution is future-proofed for any updates that the OCR adds to it's guidance on third-party trackers.
In just three weeks, our client achieved compliance with the OCR bulletin. The legal team gained the peace of mind they needed, and the marketing team was able to continue using the power of Google Analytics to track website performance.
Our client's success is hopeful reminder to any healthcare organization struggling with the OCR ruling that with the right approach, a balance between risk mitigation and marketing power exists.
The road to HIPAA compliance is a challenging. But with the right guidance, it can also be one of growth. The story of our client is a testament to this, revealing a future where patient-first technologies bridge the gap between compliance and marketing power.
We're here for you. Fill out the form on the right for a free consultation!