HIPAA guidelines changed in 2022 to cover more than collecting and storing information about patients and even non-patient visitors to your medical practice or health system website that contains information about a medical condition or treatments.
Previously, PHI included obvious information about a patient that needed to be stored securely including their name, email, address, etc. Today, PHI also includes identifiers that are much harder for the average marketer to access, but could release identifying information to Google, Facebook or another third-party, non-HIPAA compliant service that you use as part of your healthcare digital marketing stack.
PHI Definition Now Includes ALL Medical Website Visitors + More Data Points Than Ever Before
In the list below, the highlighted PHI identifiers are new HIPAA identifiers added in 2022 that are especially critical for healthcare marketers to address:
- Email addresses
- Phone numbers
- Fax numbers
- IP address
- Physical Addresses or any geographic identifier smaller than a state
- Social security numbers
- Medical record numbers
- Account numbers
- Appointment and birth dates
- Any unique identifying number, characteristic, or code
- Vehicle Identification Numbers (VIN) & License plates
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Certificate/license numbers
1. IP Addresses ARE Now Considered PHI – For All Visitors
An IP address is a set of numbers associated with each specific device connected to the internet. They might look like 01.102.103.104 or 2001:db8:3333:4444:5555:6666:7777:8888.
Every device has one so that as you browse the internet, your requests to view various web pages can be delivered back to your device. Covered entities cannot store any visitor's IP address on a third-party service, such as Google, Facebook, YouTube, etc., that is not HIPAA compliant. Google Analytics 4 indicates that they do not store this piece of information on their servers, mostly so they can meet GDPR privacy requirements. But there are other services you may be using that store IP addresses.
2. Geographic Areas of your visitors Smaller Than a State Can't be stored in your databaSe
The IP address will give the web service a sense of where you’re coming from, down to the city. Google Analytics collects this information on their servers about who has been to your website. It’s a standard report included in Google Analytics 4. Other services also know where you’re located so they can send you ads that are specific to your region.
3. Unique Identifiers Created When Services Have User Accounts
Anyone who has an account with a service such as Google or Facebook has a unique identifier with that service. This allows a service such as Google to put together information about their users to build a profile, understand preferences, and tie together their devices in a single user profile. This profile can include Google Ads clicks, developing a more thorough profile of the individual so that future ads can be more personalized.
By knowing the name, email address, and other PHI about specific account holders, Google would be holding onto PHI. However, their servers are not HIPAA compliant, and they will not sign a Business Associate Agreement so that you can align with the HIPAA guidelines.
4. Device Identifiers: PHI You Would Never Ask Someone to provide
This ID is nothing you would ask someone to submit on a form, or even know how to gather it from someone as part of a marketing activity. This is strictly behind the scenes. Your device ID is a string of numbers and letters that uniquely identify a mobile device such as a smartphone, tablet or smartwatch. While you might not collect this information, services like Google might. They want to see if you’re using more than one device as an account holder, allowing them to piece together a bigger picture of your visitors' activity and habits.
HIPAA Guidelines Now Require You to Protect Patient AND Non-Patient Visitor Data
Not only can you not collect and store any of the above information about a patient on a non-HIPAA compliant service, but now you cannot store it about ANY visitor on any page to a medical website that includes condition or treatment information. That’s right. Even data from visitors on non-authenticated (public-facing) web pages who are not your patients is covered under the current HIPAA guidelines. This means every visitor to every page of a medical practice or healthcare system website that includes information about medical conditions or treatments must have their data protected.
How Do You Remain a Data-Driven Healthcare Marketer in 2024?
At first, it sounds like your hands might be tied behind your back, sending you back to the old days of marketing before we could prove an ROI. But there are ways to get the information you need to make decisions and run HIPAA-compliant marketing through a HIPAA-compliant website.
There are some services like Google that are not going to sign a BAA. But you don’t have to stop using them. You just have to stop giving them information about your visitors.
Here are the steps we recommend you take to navigate through this new HIPAA landscape.
1. Evaluate all of the services you use on your website to see if they are collecting and storing any information that is now considered PHI.
Most services will tell you more about what they collect and store in their privacy policies. If you don’t see what you need, reach out to their support desk. Be sure to ask very specific questions about data points they may be storing. If you ask them whether they’re HIPAA compliant, the answer may not be valid since most people aren’t yet aware that HIPAA covers more than just patients who visit websites.
2. Find a way to avoid giving the information to third-party services.
The best way to prevent third parties from misusing your data is to never let them have it in the first place. It is possible to still gather information through Google Analytics and Facebook about your visitors in a way that does not allow these services to store data such as IP address, user ID, device ID, and city.
3. Where necessary, change to HIPAA-compliant marketing and web service options that will sign a BAA.
This is applicable to collecting any visitor's name, email address or other contact information. It’s normal to offer a blog or podcast subscription, a newsletter signup or even to offer content that requires a name and email before providing the information to your visitor. Just be sure you’re doing that with a service that has specifically stated they are HIPAA compliant and will sign a business associate agreement.
3 More Actions You Can Take To Avoid Storing PHI on Non-HIPAA Compliant Servers
- Stop any type of re-marketing if you’re a covered entity. The very essence of remarketing is to resend marketing messages to your visitors (patients or non-patients) based on their previous website activity. This can be a little uncomfortable, at best, and a violation of the HIPAA guidelines.
- Turn off as many features of Google Analytics 4 as you can to stop the amount of PHI that reaches Google. They will allow you to stop gathering certain information. This doesn’t get you all the way to being HIPAA compliant, however. There are some pieces of data they can still gather to understand how people are using your website.
- Remove any pixels on your website that may be sending information about visitors to third parties such as Facebook.
This is a lot to take in if you’re just learning about it. The good news is that you don’t have to throw away all of your smart marketing (smarketing :-) because you’re a covered entity. You just have to change how you gather data in many cases.
If you’d like to learn more about how to complete a website evaluation, request a free 30-minute analysis from our team to get you started. We can point out technologies that may be storing PHI on non-HIPAA secure servers.