Implementing web analytics and data collection in healthcare has always required extra caution. By its very nature, collecting a patient’s (or prospective patient’s) information over the web leaves the door open to accidental and unsafe collection of protected health information (PHI). And when that PHI includes individually identifiable health information (IIHI), then collecting this data runs afoul of the privacy protections outlined in the Health Insurance Portability and Accountability Act (HIPAA). It is a delicate dance, to say the least – and one wrong step can lead to disaster.
But… what is IIHI? How is it defined? That’s the question everyone has been asking for the last 15 months.
The answer is: that it depends. In March 2023, The U.S. Department of Health and Human Services (HHS) issued the now infamous “HHS Bulletin” that broadly categorized much of the data collected online by healthcare providers as IIHI, too broadly in fact. This categorization sent Healthcare marketers into a spin as they scrambled to implement third-party data-scrubbing tools – or, in some extreme cases, cease all website data collection entirely.
But just over a year later, on June 20, 2024, a Texas District Court Judge invalidated a portion of the HHS bulletin. The more things change, the more they stay the same. Healthcare marketers are once again scrambling to figure out how to safely collect website user data.
Good news. It is still possible to implement robust analytics tracking and data collection on a healthcare site and the approach is largely unchanged even after the recent ruling. The approach outlined here is designed to be flexible in the ever-changing landscape of patient privacy.
Some new choreography
Although the June 2024 ruling invalidated the bulletin’s broad definition of IIHI, that invalidation is limited to the idea that:
Simply put, Identity (Person A) + Query (Condition B) ≠ IIHI (Person A has Condition B).
In other words, collecting an IP address + the service line or condition pages that IP address visited does not automatically mean that the visitor has that condition. It only means that the visitor has an interest in that condition, leaving the underlying motivation of that interest unknown.
This should be a welcome relief for marketers who went to extreme lengths to anonymize or avoid collecting IP data. However, caution is still warranted before you hit the dance floor. Even though collecting IP addresses is once again fair game, it’s easy to collect other data which, when combined with IP addresses, results in accidentally collecting IIHI. After all, the HHS “Privacy Rule” is still applicable and enforceable. Consequently, a measured, privacy-aware approach to site analytics is essential.
You Can Dance (with Google) if You Want to
Prior to the HHS bulletin, Google had all but cornered the market on analytics. Universal Analytics (UA) was the industry standard that which all other solutions were compared against. It was free. It integrated well with Google’s other services (GTM, Google Ads, Looker Studio). For many organizations, not only was it the first solution considered, it was the only solution considered.
Even before the Bulletin, the landscape was shifting. Google announced GA4 way back in October 2020. GA4’s new approach to analytics was disconcerting for many marketers. Its unfamiliarity led to slow adoption and delayed deadlines for UA’s deprecation. This opened the door for alternative analytics solutions to claim a larger stake in the market. The HHS Bulletin only accelerated this process.
Still, Primacy’s position throughout this change is that Google Analytics is a viable, safe option for most healthcare organizations, primarily because GA4:
- Minimizes data collection: the model is event based which minimizes the amount of data needed to describe user actions. This reduces the data collection and collection of unnecessary data.
- Does not log or store IP addresses.
- Has shorter data retention windows and offers a Consent Mode.
- Users can stop Google Signals data collection by turning off ad personalization.
- Integrates easily with other Google properties – including BigQuery, which can simplify previously complex implementations.
- Still provides an option for a free analytics solution.
With all that said, there are two key considerations inherent to any GA4 implementation:
- Google won’t sign a BAA for anything outside of Google Cloud.
- GA4’s out-of-the-box configurations are insufficient for the Healthcare System’s privacy needs.
Acknowledging all the above, we recommend bespoke implementations of GA4 for each client that begin with, and build upon, the following approach:
- Integrate with a Consent Management Solution: Implement a consent solution (like OneTrust) that allows users to control what data is being collected. As part of this process, ensure that your Privacy Policy is up to date and that every form on your site includes a user acknowledgment of the data being submitted.
- Enable Geographical Restrictions: Restrict Google Signals’ regions / States to only include the organization’s patient-service area. Consider whether it is necessary to collect granular device detection – which would provide city-data. If it’s not necessary, don’t track it.
- Limit Collection/Placements: Do not track or collect any information that could be classified as PHI, such as names, email addresses, or medical record numbers. Do not place GA4 on a patient portal. Do not collect any form field data with GA4 (only the form submit action).
- Customize Data Layer Configuration and Data Sharing: Create a data layer in GTM which will limit the information sent to GA4. In addition, turn off all data sharing settings in GA4 to prevent Google from accessing and using your data for its business purposes.
- Anonymize Data and Restrict Processing: Enable ‘Restricted Data Processing’ in GA4 to ensure data is processed with additional privacy measures. Note that GA4 does not collect IP addresses by default.
- Include disclaimers and consent checkboxes for submission forms sitewide. Specifically, a double opt-in that requires users to acknowledge reading the site Privacy Policy and agree that the form submission does not constitute a patient-provider relationship.
However, if an organization has more stringent privacy requirements that aren’t accommodated by the approach outlined above, then an alternative solution is warranted. But for the vast majority of organizations, this approach will be sufficient for implementing GA4, with one significant caveat…
Don’t leave your (Legal Counsel) friends behind
The recent headlines (and this article) should have already made clear that the legal landscape around IIHI and web analytics in healthcare is constantly shifting. Consequently, the management of analytics – specifically, its compliance with all current privacy laws – is an ongoing effort. The recommendations here do not constitute legal advice. Rather, close consultation with legal counsel is imperative along with consistent audits and reviews of the analytics ecosystem, including:
- One-time audit of the website for IIHI leaks (and immediate correction of those leaks).
- Regular audits of the entire analytics property to ensure that none of the tags are collecting IIHI.
- Regular audits of all Marketing Pixels to identify and log what information they are collecting. Keep a centralized, maintained list of all pixels in use.
- Identifying website visitor locations to determine which State/Country privacy regulations are applicable.
- Annual “Data Discovery” reviews with IT and third-party vendors to determine where data is being stored.
- Annual review and update of site Privacy Policy.
Conclusion: well, it’s safe to dance (yes, it’s safe to dance)
The HHS bulletin and the recent ruling invalidating it will not be the last changes to healthcare privacy regulations. More likely, they’re just a couple of spins and turns in this ongoing dance. And even with the clarification that an IP address + Query does not necessarily equate to IIHI, there will always be a level of uncertainty on the dance floor. Analytics implementation requires care and attention to detail. That was true before this ruling and will be true long after. But if marketers take a privacy-aware approach, integrate consent management solutions, limit data collection, and work closely with their legal counsel, then there’s no question that it’s safe to dance – with GA4 or whichever analytics partner is preferred.
About Dan Campagna
Dan Campagna is an Account Director at Primacy, a nationally recognized top agency that accelerates growth by building exceptional brand experiences. Using a combination of design thinking, creative problem solving, and collaborative team leadership, Dan delivers innovative strategic direction for marketing campaigns in the healthcare industry.
About Krista Cataldo
Krista Cataldo is a Business Analytics and Insights Lead at Primacy, a nationally recognized top agency that accelerates growth by building exceptional brand experiences. Krista is highly skilled in web analytics, data visualization, and brand research. She leverages these abilities to provide clients with comprehensive data-driven insights and develop effective marketing strategies that drive results.