As you likely know, the Department of Health & Human Services (HHS) extended the definition of PHI at the end of 2022 and broadened the scope of who is covered under these new rules. The policy requires hospitals and HIPAA-covered entities to change how they collect and store information about website visitors on public-facing (unauthenticated) pages that offer information about medical conditions or healthcare providers.
Specifically, the Meta Pixel and Google Analytics are the points of focus. Neither of these services offers a HIPAA-compliant option for storing data about the covered entities’ website visitors. There are other tracking technologies that also fall into this category.
HIPAA Rules Are Specifically Targeting Google Analytics and the Meta Pixel
The immediate reaction for some healthcare providers was to remove the Facebook (Meta) pixel and Google Analytics from their websites so that the newly defined PHI data points could not be passed along.
One of the Meta pixel’s uses is remarketing your website to visitors, which has never been a good idea in healthcare. So losing that one shouldn’t be too bothersome.
However, losing insight into your website visitors’ activity through Google Analytics is a big deal. This would set marketers back by decades in how they plan and execute growth marketing strategies.
Some healthcare groups changed all of their data tracking to HIPAA-compliant tools, which came with its own set of issues, including loss of past data.
And a large group of healthcare providers still need to act to make their public-facing websites meet HIPAA requirements.
If you’re in the first or third category, keep reading!
It’s Official: The Updated HIPAA Rules Are Here to Stay
Many covered entities were holding out on making changes. They were hoping for a revision from HHS. On March 18, 2024, HHS provided some clarity on their 2022 updates related to the use of web trackers and collection of PHI, especially for visitors who are not patients. The summary: Not much is tangibly different from what they originally published.
There are, however, three takeaways that clear up some of the questions about how to apply the HIPAA rules of 2022.
1. All Visitors to Healthcare Website Need to Have Their Information Treated as PHI
The 2022 guidance from HHS introduced unauthenticated web pages into the mix. Until then, you only needed to collect information about current patients using HIPAA-compliant services. Now, you need to protect data from all visitors from reaching a non-HIPAA-compliant third party, whether they are patients or could one day become patients. This means you cannot send visitor data to services like Facebook or Google about visitors on public-facing web pages unless you take additional action to block the IP address.
The March 2024 update didn’t change much about this other than to reiterate that some of the website pages are not included in the PHI tracking, like the careers page or location information. You also don’t need to protect the PHI of visitors who are simply doing research, such as a college student.
But how would you know if they were on your website for a college research paper or because they were looking at the medical services and treatments for a particular condition because they need them? You can’t. You also can’t tell if a job seeker is looking at pages related to medical conditions. There’s no reasonable way to separate that out.
NET NET: You have to anonymize all the visitor data that goes to Google Analytics. This can be done through a customer data platform. However, these tools often bring more complexity and a higher price tag than what is necessary to get the job done – especially for small to mid-sized organizations. You can achieve anonymization with a simpler and less expensive process.
Watch our free Masterclass to see how:
2. IP Addresses Cannot Be Shared with Non-HIPAA-Compliant Services
If you didn’t know what an IP address was before 2023, you probably do now. It’s the unique identifier that not only indicates the specific device that’s connected to the internet it also leads to identifying the city where the visitor is coming from. Both of these are out of bounds for healthcare websites.
Some covered entities read this to mean that because Google doesn’t store the IP address of website visitors, it’s still safe to use. HHS clarified this in March to note that not only is storing IP addresses not acceptable for non-HIPAA-compliant services, Google Analytics is not permitted to receive IP addresses or store them.
HHS confirmed the following in 2024:
It is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves [stores] the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.
NET NET: Google doesn’t sign BAA’s for Google Analytics. Unless you put an anonymization service in place, Google receives IP addresses from the individual devices visiting your website. Google cannot have access to that data. If you’re running Analytics now, it’s time to get something in place to stop IP addresses from reaching Google at all.
There could be other trackers on your website sending PHI to third parties that are not HIPAA-compliant. If you’re not sure, let’s run a website tracker audit. It takes minutes and could save you tens of thousands of dollars in the long run.
3. Consent Banners are Not Enough
The 2022 policy update stated that healthcare marketers were prohibited from using website trackers unless they obtained explicit permission from their website visitors. This brought on the use of “consent banners” that appear when you visit a website. While there may be a need to disclose cookies used on your website to meet state privacy laws, that is not a part of the HIPAA rules. And simply asking for permission to track the visitor is not enough. PHI is still being collected and handed to non-HIPAA-compliant third parties.
NET NET: Asking permission to track the visitor doesn’t meet HHS requirements. You still can’t collect data that is considered PHI about any visitor on a web page with medical conditions, treatments, symptoms, or provider information.
You Have to Take Action Now
If you haven’t already taken steps to anonymize the data that Google Analytics receives and removed any other trackers from your website, the time is NOW. HHS gives a warning:
[Covered entities] sharing PHI with tracking technology vendors must follow HIPAA’s Breach Notification Rule and provide notification of a breach of unsecured PHI to HHS, the individual, and the media (when applicable), “when there is no Privacy Rule requirement or permission to disclose PHI,” and there is no business associate agreement with the tracking technology vendor.
Read that one more time. If you continue to use Google Analytics without anonymizing your visitor data, you need to report a data breach to HHS!
Your Action Plan for HIPAA-Compliant Google Analytics Usage
If your medical practice, hospital, or other covered entity has not yet taken steps to gather website data in a HIPAA-compliant way, and you want your marketing team to use 21st-century tactics, then follow these steps to get compliant:
1. Assess what’s on your website now.
You have to know what’s running to know what you may need to change. This can include the Facebook pixel, Google Analytics, Google Ads, embedded YouTube videos, and even your website hosting server.
If you’re not sure how to tell, we'll run a free audit for you.
2. Determine if you have business associate agreements (BAAs) in place with all the website tracking and digital marketing services. For services without a BAA, take action ASAP.
- Remove pixels that are sending PHI to third parties about your visitors to any page of your website. We can tell you what these are, or your web team should be able to provide more information about them.
- Anonymize the data before it reaches Google Analytics or Google Ads. This makes it possible to use these services in a HIPAA-compliant way. (Ask us how.)
- Check your web forms. If you do not have a BAA for the web form collection service on the website, replace it immediately with a HIPAA-compliant option. (HINT: we see a lot of WordPress forms that are not HIPAA-compliant.)
- Assess any plugins used on your website that may be collecting IP addresses or other identifying information about visitors to your healthcare website. Create a plan to remove any that interact with PHI or find options that are HIPAA-compliant.
3. Monitor any future tools you want to use to be sure they are HIPAA-compliant.
This is a lot to think about. To help you out, we offer a free masterclass that will show you how to conduct an audit of your website. See if there are services you need to address by either anonymizing (ie: Google Ads and Google Analytics), or changing to a HIPAA-compliant option.
