This is a continuation of my previous discussion on PHI and Online Tracking. We know you have to be extremely careful when using tracking technologies. This is even true on .com site where you don’t login. Even with extra care there are a number of ways in which you can track activity and events on healthcare related web sites.
What you can and cannot do
Remember that the guidance stresses that you have to treat analytics under the same constraints as other technologies which access PHI. HIPAA still applies. This means you can work with HIPAA.
- Communicate with patients and members as you create the right conditions for better health outcomes
- Use all tools as long as there is no chance of gathering PHI.
- Work with patients and members across many channels a
- Use a tag manager to funnel data to HIPAA compliant repositories
- Can send form submits via a POST
- Use any web or social analytics tool that cannot meet HIPAA guidelines
- Use a Tag Manager to funnel events that may contain PHI to non-compliants tools
- Send form data with PHI in the clear to any tool. This includes HIPAA compliant tools
- Cannot send form submits via a GET which puts potential PHI in the url
Implications of HHS Guidance
Personalize Your Healthcare Marketing: Crawl, Walk, Run, Fly
Strategize, execute, and grow a personalization strategy that meets healthcare consumers where they are and drives better health outcomes.
When you look at the various ways in which site do their tracking, there are implications that you need to think through and address.
- Must choose the correct tag management and analytics solution. Remember that tag management solutions send tracking data to a range of possible sources
- It’s not feasible to just disable analytics tracking on certain pages. Yes, you can disables tracking on form pages, in find a doctor apps and other areas. However, I would refer to this as cutting off your nose to spite your face. You can do it but why would you disable tracking when it’s most important and you want to know what and when a potential member or patient converts?
- Any tracking should be reviewed. Facebook, Google, and other vendors have a variety of tracking tools. Whatever you use on your sites including hotjar should be reviewed.
- All authenticated experiences fall under HIPAA
- Many un-authenticated experiences fall under HIPAA
- Outbound campaigns are less impacted by this. Yes, you still need to be HIPAA compliant but if your campaign is compliant then tracking the results should also be compliant
The good news is that you can still use tracking technologies. The vendor needs to be HIPAA compliant and if the solution is in the cloud, the vendor must sign a BAA. There are solutions out there and I’ll address that in a future post.
Now that bad news, the most common solution used by a very large majority of healthcare organizations, Google Analytics, cannot be used. Google has done their own analysis based on this guidance and has published the resulting note:
Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.
For HIPAA-regulated entities looking to determine how to configure Google Analytics on their properties, the HHS bulletin provides specific guidance on when data may and may not qualify as PHI. Here are some additional steps you should take to ensure your use of Google Analytics is permissible:
- Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.
- Authenticated pages are likely to be HIPAA-covered and customers should not set Google Analytics tags on those pages.
- Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages..
Note that this guidance states that a healthcare organization should not use Google Analytics or Google Tag Manager where HIPAA may be present. Many organizations use these tools under conditions that the new guidance suggests they should not.
In my next post, I’ll explore possible solutions to this challenge.