When Health and Human Services dropped new guidance for healthcare organizations’ use of marketing tracking technologies in December 2022, many organizations first thought about their use of advertising tracking pixels like those provided by Facebook/Meta or Google ads. The new guidance radically changed the working definitions that healthcare organizations across the country used to determine what was in or out of scope for HIPAA. As a result, the guidance changes the rules for many commonly used marketing technologies. That includes web and digital analytics platforms including the nearly ubiquitous Google Analytics (GA).
This post is part of a series. For more information about the changes proposed in the HHS guidance, see HIPAA Guidance Overview.
Interpretations of the December HIPAA guidance vary widely and there is no single agreed standard for compliance. Every organization should seek to establish its own understanding of what is and isn’t acceptable given HIPAA rules today and likely redefinition and expansion of privacy laws inside and outside of healthcare in the future.
As we discussed in the first installment in this series, the December guidance makes significant changes to terminology the healthcare industry uses to determine what’s in and out of context for HIPAA. These definition changes go far beyond tracking pixels for marketing purposes.
Essentially, anytime that we have health consumers involved, something as simple as an IP address and URL can be problematic from a HIPAA perspective. Web analytics certainly checks those boxes. Although many analytics platforms like GA don’t allow you to see the data on an identified individual level, the platforms do receive and typically store the data in this way.
What About GA4?
Google Analytics has been the most popular web analytics solution both inside and outside healthcare for many years.
Google has recently started sunsetting its Universal Analytics product in favor of its new GA4 platform. The investment in GA4 was made for several reasons but the urgency of moving users to the new platform and ending support for UA all comes down to General Data Protection Regulation (“GDPR”) — the European Union’s comprehensive privacy legislation.
You might think a GDPR-compliant platform would cover the bases for almost any privacy laws out there. Unfortunately, a complex patchwork of laws from different countries and US states interpret privacy differently, creating a messy mix of rules that make it far harder for vendors to provide solutions that are compliant for all variations.
GDPR and HIPAA approach the problem of securing and protecting sensitive personal data from very different places. GDPR looks at how data is stored and processed. HIPAA is more focused on how data is transmitted or disclosed. For GDPR compliance, GA4 has a sophisticated toolset for de-identifying the information that it receives before it’s stored or processed.
Unfortunately, that approach won’t work under HIPAA.
The December guidance makes that clear:
“… it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”
What Options Does That Leave Us?
The good news is that there are a few alternatives for how to deliver web analytics securely:
- Host it yourself — There are a few commercial products out there that will allow you to host the analytics solution yourself either on your own physical servers or in a HIPAA-compliant cloud environment. The good news is that these are full-featured analytics solutions with no compromises. The bad news is that, in addition to licensing fees for the platform, you (or your IT department) have the costs and headaches of licensing and hosting of these solutions yourself, so few organizations are opting to go this way.
- Use a hosted analytics platform that will sign a BAA — most web analytics platforms these days are only available as software as a service (SAAS). A few will sign a Business Associate Agreement (BAA). The cons here are cost (as these solutions can be quite spendy), and you’ll need to recreate all the triggers, events, and conversions that you previously had in Google Analytics. It’s a lot of work, but Geonetric can help you work through this approach.
- Use a privacy screen with Google Analytics — There are a few options for platforms that will intercept the requests from the end-user’s browser before they go on to GA4. The privacy screen lives in a HIPAA-compliant hosting environment and anonymizes the information before sending it on to GA4.
When Does This Change Need to Happen?
By positioning these changes as guidance rather than acknowledging the significant changes that are presented here, the Department of Health and Human Services (HHS) bypassed the normal process by which regulatory changes occur such as open comment periods and implementation deadlines. HHS is essentially saying that these have always been the rules and those not following these rules should do so as soon as possible!
In fact, a recent joint memo from HHS and the Federal Trade Commission (“FTC”) seems intended to urge organizations to move more quickly to change their approach to tracking in light of the new guidance. While many healthcare organizations have been unsure of how to proceed due to the vagueness of the guidance and have been hoping for additional details following the original guidance in December, it seems likely that enforcement actions will be coming before additional clarity.
If you need assistance with this process regarding your compliance goals and Geonetric Privacy Filter, Geonetric can help. Contact us for a personalized compliance assessment today!
I’m not a lawyer. Geonetric is not a law firm. I’m sharing my insights and advice but nothing that I share here should be considered legal advice.