User privacy was once again in the spotlight a few months ago as a result of lawsuits filed against Meta and various hospitals. It has been a hot topic for quite a while and with the recent news regarding Meta and other hospitals.
It was found that the Meta Pixel collected more user data than anticipated. Investigations revealed that some medical information, physician consultations, and even allergies were posted on Facebook.
This once again raised the question - How safe is user information in reality and what is being done to ensure that consumer’s data is in safe hands?
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act, or HIPAA, was first submitted as a piece of legislation in 1996. Its principal objective is to guarantee the protection of personally identifiable information.
Protected health information, also known as PHI or ePHI, is the name given to data that is covered by HIPAA. The HIPAA regulations' restrictions on the collection, storage, and sharing of consumer data present great difficulty for firms that use this information for their benefit.
It includes any information that can be used to determine a person's past, present, or long-term health status. It focuses on test results and diagnosis along with other details such as age, date of birth, race, gender, etc. Under HIPAA, even your IP address may be regarded as ePHI.
When it comes to digital analytics tracking, HIPAA compliance can present a challenge. PHI is defined by HIPAA as any information that could be used to identify an individual and includes information such as location data, telephone numbers, URLs, device serial numbers and IDs, and IP addresses which are often collected by digital analytics tools.
To comply with HIPAA regulations, healthcare businesses must develop a Business Associate Agreement (BAA) with service providers. A BAA is an agreement that ensures both parties are compliant and liable for the services they provide.
However, it's important to note that BAAs can be expensive and may require a higher tier of licensing. Additionally, not all organizations may provide BAAs.
Healthcare businesses that disregard HIPAA regulations run serious dangers. Significant fines, legal actions, and possibly criminal charges may follow. Even if the offense was unintended or unintentional, there will still be fines for non-compliance.
You are losing patients' trust, which is impossible to regain after it has been broken, which is far more damaging than the fines. Adherence to HIPAA is enforced by using fines of $1 million or more and prison terms of at least ten years.
What does PHI include?
The 18 identifiers that qualify as PHI are listed in the HIPAA Journal in an easy-to-read manner.
There are six of these that are crucial identifiers that are frequently linked to the use of digital analytics tools:
- Map information which includes location data about the user that narrows at a more granular level than the State
- Telephone numbers
- Number of accounts
- URLs for the Internet that contains information about a medical condition or other PHI data
- Device serial numbers and IDs
- Internet protocol numbers (IP addresses)
How does HIPAA Compliance work?
Several analytics services can enable HIPAA compliance through the development of a Business Associate Agreement (BAA). To ensure that they are mutually compliant and liable for the services they deliver, this is essentially an agreement with a service provider.
BAAs might be quite expensive and might require organizations to buy a higher tier of license than they need to protect third parties from exposure to risk and scrutiny. It is important to remember that all platforms might even provide BAAs.
What is the recent scenario regarding HIPAA Compliance?
The user privacy case prompted a lot of changes in HIPPA and new information was released. The obligations of HIPAA Covered Entities and Business Associates were further outlined in a bulletin that the US Department of Health and Human Services later released in the closing weeks of 2022.
The document tackles tracking technologies in detail, including website analytics, marketing pixels, session replay scripts, and other tools that collect Protected Health Information (PHI).
What's in the Bulletin?
The responsibilities of HIPAA-covered companies that use tracking technologies are the topic of this specific bulletin, which was released jointly by the OCR and HHS. The bulletin states that tracking technologies gather and examine data regarding user interactions with websites or mobile apps or "apps" of regulated entities.
When these tracking devices gather PHI, HIPAA regulations are in effect. The bulletin lists all cookies, web beacons or tracking pixels, session replay scripts, and fingerprint scripts as website tracking technologies. It also recognizes app tracking mechanisms like advertising IDs or device IDs.
When a user of a website or app submits any personally identifiable health information (IIHI), HIPAA regulations are in effect. The medical record number, home or email address, or appointment dates, as well as a person's IP address or location, medical device IDs, or any other distinctive identifying code, may all be included in this data.
What Are Possible ePHI Disclosures?
The bulletin discusses possible ePHI disclosures that HIPAA-regulated institutions may not have made to online technology tracking suppliers. To comply with the HIPAA Rules, the Bulletin describes tracking technologies, how they are used, and the precautions that regulated institutions must take to secure ePHI.
The Bulletin offers information about and instances of:
- Monitoring on websites
- Tracking in mobile applications
- When using tracking technologies, regulated companies have HIPAA compliance duties
HIPAA-regulated companies, such as technology platforms, health plans, and providers, must abide by the law. When utilizing tracking technologies it is necessary to take potential hazards to patient health information into account, according to OCR Director Melanie Fontes Rainer.
"Our Bulletin addresses concerns for those utilizing tracking technologies, particularly how to safeguard patient privacy and security."
HHS is dedicated to making sure that everyone has equal access to human services and healthcare without hindrance. You can register a complaint with OCR if you think that someone has violated your civil rights or the privacy of their health information.
Different Ways of Collecting Information
User Authenticated Web Pages
These are pages that need a visitor to enter a username and password to read, making them inaccessible to casual web surfers. Patient portals, information about health insurance plans, and telemedicine platforms are a few examples of these types of pages.
Whether it's included on the page itself or in the DOM, these sites typically include information specifically tied to the visitor who checked in to access the content. These pages may include PII or PHI as a result.
Public, Unauthenticated Web Pages
Unauthenticated pages are those that are most likely available to site visitors and even search engines. Since it is unlikely that these pages include PHI, the entity can track them as usual without worrying about compliance with HIPAA regulations.
However, issues start to appear when specific information is linked to PII. For instance, if you know someone's name or IP address and they visit a page to learn more about a specific illness or to find out a clinic's hours, you may unintentionally be collecting PHI.
The same regulations apply to mobile applications that are owned by a HIPAA-regulated company. Any third-party app manager or vendor who would have access to PHI falls under this as well.
Even if someone adds personal health information to the app, it is not covered by HIPAA if it is not held by a regulated company. However, there are other laws and rules that might be relevant in these circumstances.
Satisfying HIPAA regulations
Using Google Analytics 360 or Adobe Analytics no longer satisfies HIPAA regulations unless you make significant changes to how it is implemented to prevent transferring PHI. The biggest change is switching from a client-side to a server-side mechanism for transferring data to the analytics platform.
The fact that Google "makes no assurances that Google Analytics satisfies HIPAA compliance requirements" and that "you may not use Google Analytics for any reason or in any manner involving Protected Health Information" in its documentation shows how open and honest the company is about this.
Simply put, Google does NOT want healthcare organizations to send it any PHI-related data.
There are legal and ethical ways for healthcare organizations to use these top-tier digital analytics platforms that respect consumer privacy rights and the law while also giving them access to crucial digital information.
PHI and PII
No personally identifiable information (PII) may be provided to Google if you are familiar with Google's Terms of Service for Google Analytics and Google Analytics 360.
With Adobe Analytics, this isn't the case because you may transfer PII to the platform in a secure manner (though we recommend avoiding it in most cases).
PHI and PII are distinct terms. PHI is more restrictive than PII, but it only applies to information about a person's health.
Only when a consumer has a relationship with a covered entity (such as a health plan, healthcare provider, etc.) and business associates (such as contractors and agencies working for the covered entity) is data considered PHI.
PHI is treated with a higher degree of seriousness and is subject to stricter data protection requirements. There are architectural requirements for security and data separation before this data can be stored by a third party.
Both Google and Adobe, at least as of right now, forbid the storage of PHI data on their platforms since neither is equipped to handle the added security standards.
Using Digital Analytics Tools
To create an environment that satisfies this type of data storage, the third-party providers that do permit you to store this data must adhere to stringent architectural and security criteria. These providers will sign a contract with the healthcare organization known as a Business Associate Agreement (BAA).
The Business Associate is subject to its own rules on data usage and security. Once more, as of right now, neither Google nor Adobe will sign a BAA agreement for one of their digital analytics tools with a healthcare institution.
To entirely delete PHI before using their products, you will need to go through the de-identification process. With the proper security and architecture, you can store this PHI if you utilize a digital analytics platform that is on-premise or one that you control and provision.
We Can Help You Out
In summary, HIPAA compliance can be challenging for digital analytics tracking, as PHI is defined as information that is often collected by these tools.
Healthcare businesses must develop a BAA with service providers, and take into account the potential hazards to patient health information when using tracking technologies.
As a leader in app and web analytics consulting, Analytico can assist large and mid-market businesses in gaining the advantages of the most recent trends and technology.
We assist organizations in better understanding their customers, streamlining their marketing and sales operations, and making data-driven decisions that will promote growth and success with a team of skilled analysts and a variety of cutting-edge tools and technology.
Analytico provides the knowledge and tools you need to be successful in today's digital environment, whether you're wanting to enhance the performance of your website and mobile applications, better understand your customers, or find new growth prospects.
An analytics audit can find any tracking issues that could be exposing your organization to HIPAA violations. Get in touch with us today for a comprehensive digital analytics audit.
If you have any questions regarding user tracking and HIPAA compliance reach out to our experienced team to get the guidance you need to successfully navigate HIPAA compliance.