From Google Analytics to Meta Pixels, many of marketers’ favorite digital tracking tools are no longer permissible in the healthcare industry since federal and state agencies started cracking down on user data sharing.
Digital code on the backend of a website or app is what allows your favorite brands to chase you around the internet with ads any time you browse a new product. For healthcare providers, these practices where a user’s IP address is passed to a third party are now considered a HIPAA violation of protected health information (PHI).
This past summer, 130 large hospital systems received warnings issued from the U.S. Department of Health and Human Services (HHS), the Federal Trade Commission (FTC) and Office for Civil Rights (OCR) to stop using online tracking tools on their websites and mobile apps. The letters serve as a cautionary tale to all healthcare business owners about the privacy and security risks of online conversion tracking technology that may disclose users’ sensitive personal health data to third parties.
With large healthcare systems still playing catch up on new digital compliance laws, smaller providers no doubt still have work to do. Jenny Bristow, CEO of Hedy & Hopp, offers the following tips for healthcare digital compliance in 2024.
Audit your website and marketing tech stack for digital compliance
Big or small, most healthcare providers aren’t aware of all the third-party plugins and apps that may be running on the backend of their websites and apps. The good news for smaller providers is that you most likely have one simple website, so it’s easy to remove any code that’s no longer HIPAA compliant.
Bristow’s company performs compliance audits for healthcare clients. She says, “About 20-30% of what we find, our clients didn’t know existed because an old agency partner hardcoded something on a page they didn’t know about or a former employee installed a tool for website forms that nobody knew was there.”
Even small organizations can be surprised to find what’s running behind the scenes on their site. Most websites are linked to Google Analytics (GA) –– a powerful tool for tracking how users navigate your site. And if you ever built audiences on Meta (for Facebook or Instagram ads), you likely have a Meta pixel on your site. Once IP addresses were considered PHI, these practices with businesses that won’t sign a Business Associates Agreement are no longer permissible in healthcare.
Bristow recommends using the site buildtwith.com to see what’s happening behind the scenes on your website.
Check your state-specific laws
Many states are tightening up consumer privacy laws, sometimes specifically mentioning healthcare data. California tends to be the most strict, followed by Washington, but a patchwork of U.S. states are enacting data privacy laws. Bristow hopes some national laws can make the legal landscape more consistent across states in the future. This is especially important for providers relying on the interstate compact laws and practicing across state lines. “What we’re really hoping for and believe will happen in the next couple of years is a nationwide privacy policy of some kind, where it will make it no longer a patchwork of laws you have to comply with, but instead just one set of rules and guidelines across the board,” she says.
Ensure chat tools are HIPAA compliant
Ancillary tools like patient chat messaging on your website or call tracking are still permissible as long as your third-party vendor will sign a HIPAA-compliant Business Associate Agreement. You’ll need to audit those tools and understand how they collect and store data before installing them on your website.
Lean into effective marketing tools still available
While the days of delivering the right content to the exact right audience easily are over, there remain a lot of digital tools in the healthcare marketers’ toolbox. “All of the exciting things that we love doing as marketers, we can still do. We just need to have the right technical infrastructure and legal agreements in place,” says Bristow.
Key digital compliance takeaways for healthcare providers in 2024:
- Be sure to have Business Associates Agreements in place with any vendors with access to patient data. Know how they plan to hold data safely and securely before working with them.
- Understand how and when patient data is being shared. These laws don’t mean you can’t have a targeted marketing strategy. It’s a matter of cleaning up any unintentional data sharing. “Many providers don’t realize how widely they’ve been accidentally sharing patients’ information. We need to really be aware of who we’re sharing that with and why,” says Bristow.
The HIPAA digital compliance landscape shifted throughout 2023, and Bristow sees no sign of that abating in 2024. Healthcare business owners and the marketers they work with need to stay informed about how these laws are evolving to protect patient privacy and stay compliant.
