HHS Update: New Healthcare Marketing Stack to Stay Compliant

The Health and Human Services (HHS) has introduced changes to HIPAA guidance on online tracking, bringing about a direct shift in how healthcare and wellness brands run marketing campaigns. With Google Analytics now off the table, the need to recalibrate the marketing stack swiftly has grown significantly. In this shifting environment, Improvado offers a tailored solution, ensuring brands can continue accessing detailed marketing insights without compromising on the new regulations.

What Has Changed in the HIPAA Regulation in 2022?

A recent update to the law affected the use of tracking technology like Google Analytics by entities regulated by HIPAA which includes doctors, psychologists, clinics, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, and any middleman dealing with the processing of healthcare data. Many wellness businesses and alternative practitioners might also fall under the healthcare providers category, in situations where wellness vendors operate in conjunction with group health plans or if their services include the handling of health information.

Under the new regulations, regulated entities are not allowed to use tracking technologies without proper authorization or in ways that would lead to unauthorized disclosures of personal health information (PHI).

The HHS definition of a tracking technology states that: A tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app. After the information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app, or third parties, to create insights about users’ online activities.

Since the legislation talks solely about handling PHI and ePHI, the HIPAA update affects various pages on the website differently:

User-authenticated web pages: On these pages, users sign in before they are able to access the webpage, and tracking tools typically can view personal health information like email, IP address, dates of appointment, or even diagnosis. It's a must to ensure PHI is secured in accordance with HIPAA.
Unauthenticated web pages: These pages are open to everyone. Tracking tools here usually don't see PHI, that's why the use of such tracking technologies is not regulated by the HIPAA. However, if tracking technologies on unauthenticated web pages have access to PHI, adherence to HIPAA is mandatory.
Mobile applications: Apps from entities under HIPAA regulation that gather user details, including data specific to the device, must adhere to HIPAA guidelines at all times.

4 Essential Rules for HIPAA-Compliant Usage of Tracking Software

Based on new regulations, HIPAA entities and tracking technology vendors must act in accordance with the following four rules to stay compliant while handling PHI.

Rule 1: Only share patient information with tracking technology vendors if it's allowed by HIPAA.

Note: The fact that your company informs individuals in its privacy policy, notice, or terms and conditions about the presence of tracking technology doesn't mean you are permitted to disclose PHI to tracking vendors.

To use tracking technology on HIPAA-regulated pages or applications, one of these three conditions must be met:

Before sharing PHI with a tracking vendor, a company needs a patient's clear permission. Simply asking users to accept website cookies doesn't count as proper permission.
Sharing is allowed by a specific HIPAA rule or a tracking vendor is a business associate of your company. See rule 2.
A tracking technology vendor is not allowed to simply remove PHI from the information it receives or de-identify the PHI before saving it, if the vendor isn't a business associate of your company or it's allowed by HIPAA.

Simply put, any action with personal health information is allowed only if it's permitted by HIPAA; if a vendor is your business associate; or if a patient gave your company clear permission to process their data.

Rule 2: Establish a Business Associate Agreement (BAA) with a tracking technology vendor.

If a tracking technology vendor handles patient information, you need a written Business Associate Agreement (BAA) with them. This agreement should outline how the vendor will protect the data and what they're allowed to do with it.

Two important notes:

A tracking technology must meet the business associate definition.
If a tracking technology or a company is unable/doesn't want to sign BAA, any disclosure of PHI requires individuals’ authorizations.

The HHS definition of a business associate is the following: A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.

Rule 3: Establish risk analysis and risk management processes that include administrative, physical, and technical safeguards.

To ensure that PHI is secure, both HIPAA-covered entities and tracking vendors should adopt robust security measures:

Encrypt ePHI that is transmitted to the tracking technology vendor.
Enable and use appropriate authentication.
Establish data governance practices (access control, access logs, etc.).
Regularly check and assess the risks of using tracking technologies.

Rule 4: Have a breach notification system in place.

If there's an unauthorized sharing of patient information due to tracking technologies, you must notify the affected patients and relevant authorities.

Why Google Analytics Is No Longer HIPAA-Compliant?

Even before the 2022 changes in the regulation, Google Analytics wasn't a HIPAA-compliant tool right out of the box. It took a lot of tweaking and removal of the personally identifiable information from user-entered data to stay compliant.

Starting from 2022, Google openly declared that Google Analytics doesn't satisfy new HIPAA requirements and advises companies subject to HIPAA to use Google Analytics strictly on pages that are not HIPAA-covered. Google does not offer Business Associate Agreements in connection with its service, which goes against one of the core data security standards stated by the HHS.

Solution: HIPAA-Safe Marketing Analytics with Improvado

The regulations on the collection and management of patient data are getting more strict, but they don't preclude data from being analyzed.

Improvado presents its HIPAA-compliant marketing analytics suite, including data management pipeline and marketing spend and ROI analysis.

Improvado solution provides healthcare marketers with answers to questions like:

What channel yields the best results?
Which marketing campaigns or channels are driving the most patient inquiries and appointments?
Which marketing touchpoints contribute to patient acquisition, engagement, and retention?
What better resonates with the audience educational materials on the blog, appointment reminders, or wellness check-ins?

Improvado's marketing analytics for healthcare and wellness is based on Mixpanel, a HIPAA-compliant tracking solution that fully fills the void the demise of Google Analytics has caused. The solution tracks how users interact with your websites and mobile applications. Improvado connects this data with information from other sources, whether it's a CRM system, social media network, or an email marketing platform, to map the whole customer journey, precisely attribute conversions, and see the impact of each touchpoint on revenue growth. Marketers can adjust the level of granularity, and examine performance across channels or geos, analyze bidding strategies and cross-channel ROI, all in one dashboard.

For empowering self-analytics and tackling ad-hoc marketing inquiries, Improvado introduces the AI Agent. The technology revolutionizes and democratizes data experiences, allowing technical and non-technical users to interact with data in natural language. By asking AI Agent questions in plain English, healthcare marketers can delve into cross-channel analytics, oversee budget pacing, and better navigate their data.

Ultimately, by leveraging Improvado, your marketing team will have a HIPAA-compliant solution to track appointments that come from social media ads, email marketing or paid search campaigns, launch remarketing campaigns that meet HIPAA privacy regulations, and continuously improve your marketing performance.

How Does Improvado Handle HIPAA Compliance?

Improvado is a HIPAA-compliant solution that has a robust data security framework, including

Solid encryption both during data transfer and while at rest, ensures that even if the data is intercepted or accessed without authorization, it will be unreadable and therefore useless to the intruder.
Readiness to sign a Business Associate Agreement (BAA) that will outline procedures and responsibilities regarding PHI protection. The outline of the agreement usually comes from a client, but in case you need assistance, the Improvado information security and privacy team can provide a template.
Regular audits and risk assessments.
Breach notification procedures to promptly notify clients of any instances and mitigate any potential damage, should a breach occur.
Secure data disposal protocol to handle data once it is no longer needed.

Mixpanel, respectively, follows all rules described earlier to stay HIPAA-compliant under the revised regulations:

Mixpanel offers a Business Associate Agreement (BAA).
It has built-in data governance rights, meaning account administrators have control to limit data access and disclosure.
The platform supports data masking, meaning it can mask personal identifiable information or personal healthcare information data by replacing it with a generic identifier.
Data in transit is encrypted, and strong encryption rules are applied when data is at rest.
PII or PHI can be excluded from sending to Mixpanel in the first place. The platform supports user-level data export control, meaning marketing analysts can define what data is being sent to Mixpanel on a user-by-user basis.
Mixpanel has a breach notification system in place that notifies customers within 72 hours of a suspected breach via email.

Improvado helps healthcare and wellness brands pivot from analytics built on Google Analytics data and continue harnessing the power of secure, insightful, and efficient data analytics to drive successful healthcare marketing strategies. Schedule a call to discuss how Improvado can provide a compliant and efficient solution for your needs.