Healthcare organizations understand that there are steps that they need to take in response to the HHS guidance regarding marketing tracking technologies in December 2022. Unfortunately, for some organizations, their compliance issues may be far larger than they realize.
This post is part of a series. For more information about the changes proposed in the HHS guidance, see HIPPA Guidance Overview
Interpretations of the December HIPAA guidance vary widely and there is no single agreed standard for compliance. Every organization should seek to establish its own understanding of what is and isn’t acceptable given HIPAA rules today and likely redefinition and expansion of privacy laws inside and outside of healthcare in the future.
What’s the Trouble?
As we discussed in our previous installments, the December guidance makes significant changes to definitions the healthcare industry uses to determine what’s in and out of context for HIPAA. Essentially, anytime that we have health consumers involved, something as simple as an IP address and URL can be problematic from a HIPAA perspective.
As you can imagine, this can include a lot of moving pieces. The guidance calls out advertising tracking pixels from companies like Google Ads and Facebook/Meta (although we’ll talk more about these later in the series), and we’ve already talked about the challenges of web analytics but there’s more to consider: hosting providers, firewall vendors, load balancers, audit logging tools, backup and recovery tools, email marketing tools, marketing automation platforms, call tracking vendors, advertising agencies…the list goes on and on.
And at the center of the marketing technology stack are web content management systems (CMS) and digital experience platforms (DXP). Some tools will offer easy answers. Maybe the tool is only used with donors or providers and isn’t used with patients or health consumers. Perhaps the vendor in question has a compliance program in place and will sign a BAA for the solutions that you are using. In many cases, however, the reality of the new guidance is that some common platforms and tools simply aren’t going to be options for healthcare organizations or their partners moving forward.
The CMS and DXP Challenge
The new guidance means that any system touching live health consumer traffic is in context for HIPAA. The platform that your websites run on is on the top of that list. Unfortunately, many of the common platforms in use by healthcare organizations today aren’t compliant and won’t sign a BAA. While that may have been appropriate when you first licensed that platform, this is no longer the case today.
The simplest strategy, then, is to work with a HIPAA-compliant solution that will sign a Business Associate Agreement, like Geonetric’s VitalSite™ CMS.
At the time of this writing, many of the most common web management platforms in use by hospitals today including SiteCore, Acquia, and Optimizely won’t sign a Business Associate Agreement (BAA).
One way to use some of these tools in a complaint manner is to host them yourself on servers you own or through a HIPAA-compliant hosting solution (or work with a partner who is willing to do this for you). Unfortunately, since the industry seems to favor multi-tenant Software as a Service (SAAS) or other similar architectural models, many popular components of these software suites are only available in some sort of vendor-hosted option.
That said, even if you generally trust the vendor that you use, the law says that they need to sign a BAA if they have a chance of encountering PHI through the work that they’re building with you. In addition, many of the vendors that they work with (cloud platforms, firewalls, etc.) then need to sign subcontractor BAAs as well. This may involve different versions of those platforms, special installations, or other changes from their normal solutions. If your vendor isn’t committing to a BAA with you then odds are they haven’t secured those subcontractor BAAs with all the other tools and partners that they work with.
The Open-Source Conundrum
Compliance challenges for organizations utilizing open-source platforms can be even more complicated. One of the great benefits of open-source platforms like Drupal and WordPress is the large number of easily available components, plug-ins, templates, and code that are available for little or no cost. As another bonus, there are HIPAA-compliant hosting options for these tools. Like any of component of your marketing technology stack, it’s critically important that any code or components that are created by third parties are closely scrutinized to understand what data is captured, where it’s stored, where it might be sent, and who has access. Unfortunately, many of these free or inexpensive components are difficult to assess from a HIPAA compliance standpoint which may make these solutions far less appealing in the future.
It’s Time for Vendor Management
Every Covered Entity and Business Associate needs to run a risk assessment for their organization and part of that process is looking at the entire marketing technology stack. For each tool, platform, and vendor on that list, you need to look critically at the data that it touches, where and how it’s being used, if you have (or can get) a BAA in place with that vendor, and then make some decisions about how (or if) you’ll work with them in the future. It’s a lot of work, but it’s necessary to address the changes in the new HHS guidance.
It is important to understand all the components that you’re utilizing from a particular vendor and then scrutinize each. It may be possible to self-host your web CMS, but the search function for your website be through a third-party service. Many advanced DXP capabilities such as Customer Data Platforms, personalization tools, and shiny new AI-powered capabilities may not be available in a HIPAA-safe manner.
If you need assistance with this process regarding your compliance goals and Geonetric Privacy Filter, Geonetric can help. Contact us for a personalized compliance assessment today!
I’m not a lawyer. Geonetric is not a law firm. I’m sharing my insights and advice but nothing that I share here should be considered legal advice.