What You Need to Know About Google Analytics & HIPAA Compliance
Update on 3/21/2024: HHS released an updated version of their December 2022 guidance on online tracking technologies on March 18th, 2024. If you're looking for the most recent information, skip to our latest blog, HHS Bears Down: March 2024 Update from HSS on Online Tracking Technologies.
The 2022 guidance from the Department of Health and Human Services on the use of online tracking technology for healthcare organizations was a big topic at SHSMD’s annual conference. If you’re not familiar with HHS’ guidance, learn more on the topic in our previous blog: Based on the new HHS Guidance, is Google Analytics HIPAA-compliant?
While many healthcare marketers are concerned that HHS’ guidance is too broad, it’s safe to say that large organizations are taking this seriously and working to understand and reduce their risks. As a HIPAA compliant digital marketing agency, Full Media has been monitoring the situation closely, speaking with attorneys and investing in research to ensure our clients have solutions to continue a data-based approach to marketing while mitigating risks. We were also grateful to the speakers at SHSMD for helping continue to provide perspective and solutions to advance our practices and understanding of the issues at play.
Below are our biggest takeaways from the 2023 SHSMD conference on the issue:
Two different branches of the federal government are teaming up.
The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) are joining forces on this issue but focused on different entities. Under HHS, the OCR is primarily focused on “covered entities,” organizations that accept payments from Medicare, Medicaid and private insurance providers. The FTC is focused on companies that are adjacent to healthcare, like telehealth service providers or the online counseling giant BetterHelp. This year, the FTC requested more dollars for their next budget to research and pursue companies who are sending sensitive data to advertising platforms.
The takeaway here is that the federal government is taking this issue seriously, and companies that provide services to healthcare organizations also need to be concerned with how they handle sensitive health information.
Analyze your third-party code.
Speaker Jenny Bristow from Hedy & Hopp recommended analyzing all of the uses of third-party code on your website to determine if third parties are collecting any data through it. We know platforms like Google Analytics, Meta Ads and others collect data—that’s what the code is there for! But what about the others?
Get started by making a list of all third-party code used on your website. Tools like www.builtwith.com can help you understand what types of code and technology you are using. Depending on your own familiarity, you may need developer or your digital agency to help come up with the list.
From there, decide:
- Does the code or tool share too much data with a third party?
- Can you sign a Business Associate Agreement (BAA) with the third party? This is especially important to consider with Customer Relationship Management (CRM) tools, UX or session replay tools and data warehouses.Is there a way to limit the data being sent out or adapt your usage of the code or tool?
- Code that may require additional consideration could be everything from advertising pixels to map or video embeds.
Options to keep a data-based marketing approach in 2023.
It’s important to remember that the guidance from HHS is not law, merely an indicator of how the department is thinking about consumer health data online. Healthcare organizations are still hoping that HHS will further clarify its guidance by limiting its sweeping statements about IP addresses. However, there are organizations deciding to act now, rather than risk it. In those cases, there are some common approaches people are taking:
Server-side Google Tag Manager
This method enables organizations to continue to use Google Tag Manager, but the data collected on the website is immediately sent into a private, HIPAA-compliant server owned and managed by the healthcare organization. From there, the server sends the data out to Google Tag Manager, then into Google Analytics, without sending along any sensitive data points, like IP addresses or user IDs.
This approach requires that the healthcare organization has a fair amount of technical expertise in-house or can contract it from an agency. Full Media offers server-side Google Tag Manager . This method helps preserve your current processes, while remaining cost-effective for organizations from small physicians groups to health systems. Learn more about our server-side GTM offering.
Customer Data Platform (CDP)
These platforms replace Google Tag Manager on the website, collecting all the necessary data and executing any tags. From there, the healthcare organization can choose what data is sent on to tools like Google Analytics, Google Ads, Meta Ads and more. There are platforms that will sign a BAA and help with HIPAA compliance. This option provides a lot of functionality and prevents disruption to your existing processes, but CDPs can be costly.
HIPAA-Compliant Analytics Platform
By switching away from Google Analytics entirely, you can choose an alternative analytics platform that is HIPAA compliant and will sign a BAA with your organization. This will require setting up and learning a new analytics platform, but there are relatively cost-effective options out there. Because Google Analytics is so widely used, most platforms integrate with it, whereas it’s less likely that any other tools you use will integrate with a Google Analytics alternative, but it may be worth it!
You’ll want to work with your agency or your internal team to make sure your advertising is well-tagged using UTM parameters and consider how to redevelop your reporting.
The digital privacy landscape is changing, in general.
HHS guidance aside, be sure to keep up with national and state laws too. More and more lawmakers and regulatory bodies are becoming concerned with how consumer data is shared and used online. Many of us may be familiar with the European Union’s stringent GDPR, but more and more states are discussing and passing laws that protect online privacy.
California, Connecticut, Virginia and Colorado have all passed digital privacy protections, while Utah, Iowa, Montana, Indiana and Tennessee are all considering their own laws. Organizations need to have an updated privacy policy, and they should consider cookie opt-in messages and opt-in checkboxes to receive email outreach. These laws are not specific to healthcare organizations, although they do apply to them, but states do have special concerns about patient privacy too. Just this year, New York passed a new law banning advertising that geofences around hospitals and medical clinics.