With new HIPAA standards introduced late in 2022, there are a lot of questions swirling throughout the healthcare industry about how to be data-driven marketers in this digital age without overstepping the latest HIPAA standards. Which tools are usable? Some of the most common tools, such as Google Analytics, are now in question as to whether they can be used at all. (HINT: They can, but you need to take some steps for it to be compliant. Keep reading.)
What Changed in the HIPAA Standards for Medical Websites in 2022?
Most medical websites provide information about diseases and/or treatments, doctors that treat those conditions, and even an opportunity to request a new patient appointment through public-facing web pages... meaning visitors do not need to log in to view these things.
More people are covered under HIPAA than ever before
In the new HIPAA guidelines, specific data points about visitors to these pages, whether they are patients now or could be in the future, are considered PHI. That's right, nearly every visitor to your medical website will now need to have their data protected equally. There are some exceptions, but in general, you will need to evaluate what you're collecting through your website and where it's being stored.
No more tracking technologies that share personal information in a non-compliant manner
It's critical that information about medical website visitors is not passed on to third parties for the purpose of sending them individualized advertisements. The new rule states:
"Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules."
Essentially no more re-marketing is allowed. This doesn't mean you can't advertise.. you just can't customize ads specific to a visitor's "interests" that you noticed during their time on your website.
New data points you have to avoid storing
If you work in healthcare, you're already familiar with individually identifying information that you have to protect for patients. Now you'll need to do that for all visitors if they are looking at a medical condition, requesting an appointment, or searching for a physician who treats a specific condition. PLUS, there were some new data points added to the list:
- IP address - Every device on the internet has one so that it can be connected to the internet.
- Any geographic identifier smaller than a state (ie: county and city are not acceptable).
- Device identifiers of a phone, tablet, or smartwatch. These can be use used by services like Google to make a connection between a single user's phone and desktop activity.
Read more in our blog: 4 Datapoints You May Not Realize are PHI and What to Do About Them
The knee-jerk reaction for many organizations was to just take Google Analytics off of their website and stop running all ads. But where does that leave marketers and administrators responsible for increasing patients through an online presence?
Let's take a look at what changes you may need to make if you haven't already.
FAQs About Website HIPAA Compliance
1. Do these latest HIPAA standards apply to my website?
If your medical website, including physical and mental health services, has any of the following options on it for all visitors, then yes, you must be sure all data is collected and stored in a HIPAA-compliant manner.
- Your public-facing website provides information about medical conditions and their treatments, or
- Your public-facing website contains a doctor listing or search feature that allows users to filter by specific condition, or
- Your public website has any form on it, including requesting an appointment or a request for more information. Even the contact us form needs to be compliant. Simply telling the visitor that the form is not secure is not enough.
2. We don't collect information about patients on the public-facing website, do the 2022 HIPAA changes apply to us?
Yes, they do. The addition of the following verbiage to the HIPAA standards now includes all visitors to a healthcare website:
"Individually identifiable health information" is information, including demographic data, that relates to the individual's past, present, or future physical or mental health or condition...
You should now be protecting all information that comes through your website as you have been for patients. There's a bit of a catch, however. There are more data points considered PHI than what you can see on a completed form. You cannot store information about the visitor's IP address, device ID, or location more granular than their state. This can be a bit tricky! However there are ways to avoid sharing this information with third parties, such as Google Analytics.
3. Is Google Analytics HIPAA-compliant?
Google has made a lot of privacy updates in the past few years. However, their focus has been on meeting the European GDPR privacy requirements. While some of those requirements cross over with HIPAA, Google Analytics does not meet all of the requirements and will not sign a Business Associate Agreement (BAA).
Google has stated they are no longer storing IP addresses as part of their privacy updates. However, your visitors' device IDs and geographic locations smaller than a state are still in their system. Additionally, because some visitors will be logged into their Google account while using your website, Google Analytics will connect the user account to their activity and store that information on their non-HIPAA-compliant servers.
4. We don’t have forms or a physician search by specialty on our healthcare website. Does that mean the website is HIPAA-compliant?
Not necessarily. If you have information about a medical or mental health condition on your website, you must be sure you're not storing information about the visitor's device, their IP address, and their location on non-HIPAA-compliant servers. If you're using Google Analytics, there's a chance that this information is being stored by Google, and you'll need to make some updates. Start by going through Google and turning off their access to personal information as best you can.
Read more in our blog: 4 Datapoints You May Not Realize are PHI and What to Do About Them
5. I have a Meta (Facebook) pixel on our website. Is that a problem?
The Meta (also called Facebook) pixel is designed to track your visitors' activity on your website so that you can serve more customized ads to those same people through Facebook. This is precisely what HHS is trying to avoid. Even if you're not using the remarketing feature, the pixel is still collecting data about visitors that can't be left on a non-HIPAA-compliant server.
If your website has this pixel or any other ad pixel, it should be removed as soon as possible unless the company that has created the pixel will sign a BAA to ensure the visitor data is stored on a compliant server.
6. Is it acceptable to allow patients to request an appointment online?
Collecting information for an appointment or to request medical records through your website is certainly acceptable, even on public-facing pages. You need to, however, be sure that the form service or appointment request service will sign a BAA and ensure that your data is stored in a HIPAA-compliant manner. There are also steps that need to be taken when notifying your staff via email of the request to be sure you remain compliant.
7. Are there other services or tools that could be collecting PHI without my knowledge?
Depending on how your website is built, there can be other ways PHI is being stored in an unsecured way. WordPress websites use many different plugins. Each one will need to be evaluated. There are other content management systems that will store information, including IP addresses, about visitors unless you turn off various features.
How Can You Make Sure Your Healthcare Website is HIPAA-compliant?
There are quite a few options out there for anonymizing your website information and using HIPAA-compliant web services. Figuring out which are best for you can be overwhelming as you try to sort through each web service and what it stores. We are available to talk you through what you have now and recommendations for what you can do to make the website compliant.
