In December 2022, the Office of Civil Rights, responsible for enforcing HIPAA laws in the United States, released new guidelines on the Use of Online Tracking Technologies by HIPAA Covered Entities. In the wake of the new guidelines, some organizations – including large health systems – immediately pulled Google Analytics, advertising pixels and other ad or tracking technologies from their website, leaving their marketing efforts in the dark. Many solutions have arisen in the meantime, and while many organizations have already completed their implementations, some of these new, HIPAA-compliant tracking solutions aren’t cheap.
From health systems to independent solo practitioners, we know that all healthcare providers are cost-conscious. The financial pressures on healthcare providers are mounting, while health systems, large tech companies and payers buying up physician practices are only amplifying competition. More than ever, small and mid-sized physician practices need an excellent marketing strategy informed by data so that they can invest limited dollars in the tactics that drive the greatest ROI.
So, how do independent physicians’ practices maintain a data-based marketing strategy while staying HIPAA compliant?
What’s Keeping Healthcare CIOs Up at Night: How to Improve Patient Satisfaction by Handling Calls More Efficiently
Health systems have spent billions on portals while investments in modernizing the voice channel — the dominant preference of healthcare consumers — have taken a backseat.
New to the guidance? Here’s your quick primer.
In the summer of 2022, a big story broke revealing that several large health systems had exposed sensitive patient data to tech giants, like Meta (the behemoth that owns Facebook and Instagram). These organizations sent sensitive details to Meta’s advertising platforms, information like patient names, the doctors patients booked appointments with and more.
It appears that the Office of Civil Rights introduced its new guidance in response to these breaches. However, the OCR expanded its definition of Personal Health Information, stating that information like a user’s IP address and a page they visited on a website needed to be stored in a HIPAA-compliant manner. Otherwise, it would be considered a breach.
Most analytics platforms store IP addresses with other details by default. Yet neither Google Analytics nor Meta Ads promises HIPAA compliance, nor will they sign a Business Associate Agreement.
Heard at HLTH 2024: Insights from Innovative Healthcare Executives
Executives from Imagine360, Verily, BrightInsight, Lantern, and Rhapsody shared their approaches to reducing healthcare costs and facilitating digital transformation.
Some healthcare organizations adopted a wait-and-see approach, expecting the OCR to retract or clarify the far-reaching guidance. In March 2024, the OCR updated its guidance, but the updates only reinforced prior statements and indicated that the OCR planned to invest resources into enforcing its guidelines.
What options are there for physicians’ practices?
Google Analytics is free, so healthcare organizations should expect to pay more for any HIPAA-compliant solution. The servers must meet a higher level of encryption, and data transmission must have special encryption. Not to mention, these vendors are taking on liability by taking responsibility for Personal Health Information.
Any vendor providing a HIPAA-compliant solution has increased costs. However, the cost of throwing marketing dollars out into the dark without understanding how they’re benefiting your organization may be more significant. Here’s a breakdown of the current solutions:
- Customer data platforms There are many solutions available for those with large budgets. The Office of Civil Rights specifically mentions customer data platforms, which offer organizations the ability to control all data collected on their website and prevent anything they don’t want from being sent to a third party, like Google or Meta. Unfortunately, these platforms often come with a high price tag, too.
- Alternative analytics platforms There are also alternatives to Google Analytics: HIPAA-compliant analytics platforms. Some HIPAA-compliant analytics platforms are relatively inexpensive, making this a worthwhile solution to explore for physicians’ practices. The learning curve may be challenging for you or your agency partners to overcome if you decide to move to a new platform. These platforms may not integrate with other tools as easily as Google Analytics, the most widely used digital analytics platform in the United States.
- Server-side Google Tag Manager The final option for physicians’ practices would be to implement server-side Google Tag Manager. Google created this method to help companies comply with the European Union’s stringent data privacy laws. With Google Tag Manager, the data collected on your website can be sent to a private, HIPAA-compliant server, and then protected data like IP address or other parameters can be removed from the data before it’s sent to Google Analytics or Meta. Anyone can set up a server-side Google Tag Manager, but it requires technical expertise. Google Tag Manager can be an affordable option for physicians’ practices if they have the knowledge to implement it in-house or have an agency with the expertise to implement this.
Don’t give up!
The simple fact is that practice managers or marketing directors have enough on their plate to worry about. The best way to get started on this journey is to seek the expertise you need so that you don’t have to manage it alone. The Office of Civil Rights is becoming increasingly interested in the digital realm, so you need trusted partners who understand the healthcare space and can help you navigate new guidance. Discuss your website, tracking and marketing tactics with your practice’s legal representative and seek out website and marketing partners that have a keen understanding of the standards in healthcare.
Photo credit: NicoElNinom, Getty Images
Rachael Sauceman is the Director of Strategy for Full Media, a healthcare digital marketing agency. As a HIPAA-compliant marketing partner, Full Media offers analytics development, consulting, and reporting for healthcare organizations.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.