If you haven’t made changes in the past year to how you collect information from website visitors AND about website visitors, your medical practice or hospital is most likely not HIPAA compliant.
You may not even realize you’re collecting some of these new PHI data points behind the scenes!
Rather than just shutting down all of the sophisticated digital marketing tools you’re using to grow the business, let’s take a look at what you can do to get in compliance as quickly as possible.
Any personally identifying information about any visitor to a medical practice website must be collected through a HIPAA-compliant service. This applies to every visitor whether they are a patient or could become a patient in the future. Examples include:
This process requires you to see what data is submitted to third party services that a visitor didn’t submit through a web form. This includes data points such as IP address, which also indicates their city, and device ID. You wouldn’t know it was being stored unless you really look.
Here are just few of the things you need to review:
And there are dozens more services depending on the complexity of your website.
If you are using services that collect any PHI, such as Google Analytics, it’s time to make changes.
Pro Tip: You don’t have to get rid of Google Analytics and most Google and Meta Ads.
As a marketer, practice manager, compliance officer, or a physician you must ensure this is addressed.
You can leverage what we've learned to fast-track your digital marketing compliance with our free online class.
1. A more detailed explanation of how HIPAA has changed and what that means for your digital marketing and website.
2. An explanation of how to identify and audit the services you are using to see if they collect or store PHI.
3. A better understanding of how you can make changes to your current services to make them HIPAA compliant.
PLUS: A free planning workbook to audit and evaluate all of your digital services and how they handle PHI.