Healthcare providers continue to misuse patient data
Balancing HIPAA compliance and effective marketing is a challenge. Many healthcare companies remain unaware of HIPAA provisions and ways to comply with them. As of July 2023, healthcare organizations reported 330 breaches of sensitive health information affecting 41.4 million individuals to HHS’ Office for Civil Rights, compared to 52 million affected in all of 2022. According to a recent study, patients who worry about breaches of their electronic health records are three times more likely to withhold information from their physicians.
One of the factors affecting the number of HIPAA breaches is HHS’s bulletin from December 2022 that provides strict guidance on the use of third-party cookies, pixels and other tracking technologies by healthcare companies. The bulletin expands the definition of protected health information (PHI). Notably, it indicates that even using tracking technologies on websites and mobile apps accessible without user login could put healthcare companies at risk of privacy violations.
Big tech companies create the leading marketing technologies and make them free because they get access to data collected by businesses that implement said technologies. Last year, The Markup found that 33 of the top 100 US hospitals used Facebook pixels on their websites. Seven of them used tracking codes on patients’ portals behind the login walls.
Earlier this year, numerous healthcare organizations submitted breach reports, acknowledging they were in violation of December guidance from HHS. Telehealth provider Cerebral filed a data breach notification with HHS, admitting to having disclosed PII to other parties without sufficient HIPAA-protective measures. In July 2023, the FTC and HHS sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them about the risks of tracking technologies on sites and apps that can impermissibly disclose consumers’ sensitive personal health data to third parties.
Under the HIPAA Privacy Rule, sharing PHI for marketing and analytics is not a permitted disclosure. Healthcare providers need to sign a business associate agreement (BAA) with their vendors, establishing a legally binding relationship to legally share PHI with them. Without a BAA, companies must refrain from sending PHI to the platforms they use or apply one of the valid de-identification methods to remove all identifiers from PHI. On the other hand, the broad definition of PHI complicates the de-identification process, and data without identifiers negatively impacts some marketing activities.
Evaluating HIPAA compliance of marketing and analytics vendors
Due to HIPAA’s strict regulations, covered entities need to evaluate the compliance of every tool in their marketing stack. The leading analytics vendors, Google and Adobe, pose numerous risks and complications for healthcare providers. Google is explicit about not permitting healthcare providers to keep PHI in Google Analytics. It won’t sign a BAA and uses the data within its systems to improve its services, making Google Analytics a non-compliant choice for HIPAA covered entities. Adobe has a list of HIPAA-ready services that includes Adobe Customer Journey Analytics but leaves out Adobe Analytics. Sharing PHI with Adobe is compliant only if it involves one of the listed products.
Healthcare organizations can look at other analytics vendors that apply HIPAA-compliant measures. Piwik PRO Analytics Suite is fully compliant with HIPAA’s provisions, including the guidance outlined in HHS’s bulletin. Piwik PRO will sign a BAA, won’t share data with third parties and offers hosting on HIPAA-compliant infrastructure, on top of following strict privacy requirements and undergoing regular security audits. Another possibility is combining a data collection system, data warehouse and data visualization tool. However, it necessitates verifying the HIPAA compliance of each vendor.
Facebook tracking pixels on patient portals are not the only marketing activity that may violate patients’ privacy. Advertising platforms like Facebook, Google, and LinkedIn Ads won’t sign a BAA, meaning healthcare organizations must avoid PHI in their campaigns. The most futureproof marketing solution for HIPAA covered entities is establishing a first-party data ecosystem. Compliant marketing activities that use PHI include onsite retargeting and personalization, email campaigns and ad campaign optimization.
In advertising, healthcare organizations must remove any traces of PHI before sending them to ad networks and remove marketing pixels from password-protected apps and websites, such as patient portals. Another option involves capitalizing on advertising without retargeting and PHI, like contextual targeting and simple ads based on keywords.
HIPAA compliance is the only way forward
The need for high standards of HIPAA compliance applies to all platforms that interact with patients’ PHI, including analytics, marketing tools and advertising ecosystems. There are many HIPAA-compliant vendors on the market and investing in them opens up a new world of possibilities for healthcare providers to collect granular data and promote their services within HIPAA’s limits.