User privacy was once again in the spotlight a few months ago as a result of lawsuits filed against Meta and various hospitals. User privacy has been a hot topic for quite a while and with the recent news regarding Meta and other hospitals, it was found that the Meta Pixel collected more user data than anticipated. Investigations revealed that some patient medical information, physician consultations, and even allergies were posted on Facebook. This once again raised the question - How safe is user information in reality and what is being done to ensure that consumer’s data is in safe hands?
The Health Insurance Portability and Accountability Act, or HIPAA, was first submitted as a piece of legislation in 1996. Its principal objective is to guarantee the protection of personally identifiable information. Protected health information, or PHI, or ePHI if it is digital, is the name given to data that is covered by HIPAA. The HIPAA regulations' restrictions on the collection, storage, and sharing of consumer data present a great difficulty for firms that use this information for their benefit.
Any information that can be used to determine a person's past, present, or long term health status is included. It goes without saying that test results and diagnosis are included, but other details like age, date of birth, race, gender, and others may also be included. Under HIPAA, even your IP address may be regarded as ePHI.
When it comes to digital analytics tracking, HIPAA compliance can present a challenge. Protected Health Information (PHI) is defined by HIPAA as any information that could be used to identify an individual, and includes information such as location data, telephone numbers, URLs, device serial numbers and IDs, and IP addresses. These are all types of information that are often collected by digital analytics tools.
To comply with HIPAA regulations, healthcare businesses must develop a Business Associate Agreement (BAA) with service providers. A BAA is an agreement that ensures both parties are compliant and liable for the services they provide. However, it's important to note that BAAs can be expensive and may require a higher tier of licensing. Additionally, not all organizations may provide BAAs.
Healthcare businesses that disregard HIPAA regulations run serious dangers. Significant fines, legal actions, and possibly criminal charges may follow. Even if the offence was unintended or unintentional, there will still be fines for non-compliance. You are losing patients' trust, which is impossible to regain after it has been broken, which is far more damaging than the fines. The adherence of HIPAA is enforced by using fines of $1 million or more and prison terms of at least ten years. Healthcare businesses that disregard HIPAA regulations run serious dangers. Significant fines, legal actions, and possibly criminal charges may follow. Even if the offence was unintended or unintentional, there will still be fines for non-compliance. You are losing patients' trust, which is impossible to regain after it has been broken, which is far more damaging than the fines. The adherence of HIPAA is enforced by using fines of $1 million or more and prison terms of at least ten years.
What does PHI include?
The 18 identifiers that qualify as PHI are listed in the HIPAA Journal in an easy-to-read manner. There are six of these that are crucial identifiers that are frequently linked to the use of digital analytics tools:
- Map information which includes location data about the user that narrows at a more granular level than State
- Telephone numbers
- Number of accounts
- URLs for the Internet which contains information about a medical condition or other PHI data
- Device serial numbers and IDs
- Internet protocol numbers (IP addresses)
How does HIPAA Compliance work?
Through the development of a Business Associate Agreement, or BAA, several services enable HIPAA compliance. To ensure that they are mutually compliant and liable for the services they deliver, this is essentially an agreement with a service provider.
It's important to keep in mind that BAAs are frequently an expensive alternative and/or require customers to buy a higher tier of licence than they may otherwise need because they expose third-parties to more risk and scrutiny. Additionally, not every organization might even provide BAAs.
What is the recent scenario regarding HIPAA Compliance?
After the case regarding user privacy, a lot of changes were made and new information was released regarding HIPAA. The obligations of HIPAA Covered Entities and Business Associates were further outlined in a bulletin that the US Department of Health and Human Services later released in the closing weeks of 2022. The document tackles tracking technologies in detail, including website analytics, marketing pixels, session replay scripts, and other tools that collect Protected Health Information (PHI).
What's in the bulletin?
The responsibilities of HIPAA-covered companies that use tracking technologies are the topic of this specific bulletin, which was released jointly by the OCR and HHS. The bulletin states that tracking technologies gather and examine data regarding user interactions with websites or mobile apps or "apps" of regulated entities.
When these tracking devices gather PHI, HIPAA regulations are in effect. The bulletin lists all cookies, web beacons or tracking pixels, session replay scripts, and fingerprints scripts as website tracking technologies. It also recognises app tracking mechanisms like advertising IDs or device IDs.
When a user of a website or app submits any personally identifiable health information (IIHI), HIPAA regulations are in effect. The medical record number, home or email address, or appointment dates, as well as a person's IP address or location, medical device IDs, or any other distinctive identifying code, may all be included in this data.
What are possible ePHI disclosures ?
The bulletin discusses possible ePHI disclosures that HIPAA-regulated institutions may not have made to online technology tracking suppliers. In order to comply with the HIPAA Rules, the Bulletin describes tracking technologies, how they are used, and the precautions that regulated institutions must take to secure ePHI.
The Bulletin offers information about and instances of:
- Monitoring on websites
- Tracking in mobile applications
- When using tracking technologies, regulated companies have HIPAA compliance duties.
"HIPAA-regulated companies, such as technology platforms, health plans, and providers, must abide by the law. When utilising tracking technologies, this necessitates taking into account the potential hazards to patient health information, according to OCR Director Melanie Fontes Rainer. "Our Bulletin addresses concerns for those utilising tracking technologies, particularly how to safeguard patient privacy and security."
HHS is dedicated to making sure that everyone has equal access to human services and healthcare without hindrance. You can register a complaint with OCR at: if you think that someone has violated your civil rights or the privacy of their health information.
The way of collecting information
User Authenticated web pages
These are pages that need a visitor to enter a username and password in order to read, making them inaccessible to casual web surfers. Patient portals, information about health insurance plans, and telemedicine platforms are a few examples of these types of pages. Whether it's included on the page itself or in the DOM, these sites typically include information specifically tied to the visitor who checked in to access the content. These pages may include PII or PHI as a result.
Public, unauthenticated webpages
The waters here become muddy. Unauthenticated pages are those that are most likely available to site visitors and even search engines. Since it is unlikely that these pages include PHI, the entity can track as usual without worrying about compliance with HIPAA regulations.
However, issues start to appear when specific information is linked to PII. For instance, if you know someone's name or IP address and they visit a page to learn more about a specific illness or to find out a clinic's hours, you may unintentionally be collecting PHI.
The same regulations apply to mobile applications that are owned by a HIPAA-regulated company. Any third-party app manager or vendor who would have access to PHI falls under this as well. Even if someone adds personal health information to the app, it is not covered by HIPAA if it is not held by a regulated company. However, there are other laws and rules that might be relevant in these circumstances.
Satisfying HIPAA regulations
Using Google Analytics 360 or Adobe Analytics "out of the box" no longer satisfies HIPAA regulations as of right now, unless you make significant changes to how it is implemented to prevent transferring Protected Health Information (PHI). The biggest change is switching from a client-side to a server-side mechanism for transferring data to the analytics platform.
The fact that Google "makes no assurances that Google Analytics satisfies HIPAA compliance requirements" and that "you may not use Google Analytics for any reason or in any manner involving Protected Health Information" in its documentation shows how open and honest the company is about this. Simply put, Google does NOT want healthcare organizations to send it any PHI-related data.
There are legal and ethical ways for healthcare organizations to use these top-tier digital analytics platforms that respect consumer privacy rights and the law while also giving them access to the crucial digital information.
PHI and PII
No personally identifiable information (PII) may be provided to Google if you are familiar with Google's Terms of Service for Google Analytics and Google Analytics 360. With Adobe Analytics, this isn't the case because you may transfer PII to the platform in a secure manner (though we recommend avoiding it in most cases).
PHI and PII are distinct terms. PHI is more restrictive than PII, but it only applies to information about a person's health. Only when a consumer has a relationship with a covered entity (such as a health plan, healthcare provider, etc.) and business associates (such as contractors and agencies working for the covered entity) is data considered PHI.
PHI is treated with a higher degree of seriousness and is subject to stricter data protection requirements. There are architectural requirements for security and data separation before this data can be stored by a third party. Both Google and Adobe, at least as of right now, forbid the storage of PHI data on their platforms since neither is equipped to handle the added security standards.
Using Digital Analytics tool
In order to create an environment that satisfies this type of data storage, the third-party providers that do permit you to store this data must adhere to stringent architectural and security criteria. These providers will sign a contract with the healthcare organization known as a Business Associate Agreement (BAA).
The Business Associate is subject to its own rules on data usage and security. Once more, as of right now, neither Google nor Adobe will sign a BAA agreement for one of their digital analytics tools with a healthcare institution. As a result, in order to entirely delete PHI before using their products, you will need to go through the de-identification process. With the proper security and architecture, you can store this PHI if you utilise a digital analytics platform that is on-premise or one that you control and provision.
We Can Help You Out
In summary, HIPAA compliance can be challenging for digital analytics tracking, as PHI is defined as information that is often collected by these tools. Healthcare businesses must develop a BAA with service providers, and take into account the potential hazards to patient health information when using tracking technologies.
As a leader in app and web analytics consulting, Analytico can assist large and mid-market businesses in gaining the advantages of the most recent trends and technology. We assist organizations in better understanding their customers, streamlining their marketing and sales operations, and making data-driven decisions that will promote growth and success with a team of skilled analysts and a variety of cutting-edge tools and technology.
Analytico provides the knowledge and tools you need to be successful in today's digital environment, whether you're wanting to enhance the performance of your website and mobile applications, better understand your customers, or find new growth prospects.
An analytics audit can find any tracking issues that could be exposing your organization to HIPAA violation. Get in touch with us today for a comprehensive digital analytics audit.
If you have any questions regarding user tracking and HIPAA compliancereach out to our experienced team to get the guidance you need to successfully navigate HIPAA compliance.