Online Privacy and Security in Healthcare: What You Need to Know
Web privacy and security are critical concerns for healthcare organizations and consumers – that’s nothing new. However, the introduction of new regulations around tracking tools and consumer targeting means that protecting sensitive data is more complex than ever. At a recent event hosted by KC Health Communicators, AJ Templin, Digital Marketing Manager, shared essential information for anyone trying to ensure their online privacy and security measures are up to date.
In a bulletin updated by the U.S. Department of Health and Human Services this past June, regulators addressed the intersection between HIPAA rights and online tracking. The bulletin specifically targets tracking technologies – such as cookies used by websites and apps – and clarifies that healthcare organizations and their partners must abide by HIPAA rules when using these tools. This includes safeguarding protected health information (PHI) collected through tracking technology vendors like Google and Meta. Organizations must obtain explicit patient consent before sharing PHI with third parties. Failure to do so can result in severe legal penalties, as well as the loss of trust among employees, consumers and the public.
As a healthcare organization beholden to HIPAA regulations, you may be asking yourself how you can track and analyze campaign performance data, and even target key consumer segments, while remaining compliant with the latest laws around privacy and PHI.
This illustration by Freshpaint underscores the risk tracking technologies can pose.
While the bottom line is that tracking technologies do elevate your risk of data breaches, understanding how to navigate the system – or partnering with someone who does – will help ensure your marketing stays both effective and compliant.
Cookies & Consent
Cookies are bits of data sent to and from your web browser that identify you, with the goal of enhancing your user experience by serving up content based on your preferences. When you visit a website for the first time, there’s a good chance you’ll see a pop-up message telling you the site uses cookies and giving you the chance to accept or opt out via changing settings. Getting “cookie consent” – and letting people know that continuing to use the site implies consent – is an increasingly popular way to mitigate these privacy and security challenges. By offering transparency and the ability for users to opt out, organizations can better protect themselves and their site visitors from unwanted data sharing.
Analytics with Server-Side Protections
In response to heightened regulations, you need advanced server-side protection that ensures outgoing data is cryptographically hashed and/or encrypted before it is shared with external analytics platforms (such as Google Analytics). Freshpaint offers healthcare organizations the tools to control what information is being shared. At MedPB, an Onspire Health Marketing company, we’ve partnered with Freshpaint to layer their best-in-class protections into our most popular digital marketing solutions. Freshpaint’s Healthcare Privacy Platform helps close security gaps in digital marketing, acting as a safeguard by filtering out PHI before it reaches untrusted third-party platforms. Through our innovative partnership with Freshpaint, we’ve made this leading-edge, privacy-first platform available and affordable for healthcare organizations of all sizes.
Enhanced Video Privacy
When you embed videos on your website that are hosted on popular third-party video platforms, those platforms will collect information about your web visitors (very similar to a third-party analytics engine). When a video is about specific health conditions and/or medical specialty, a view can be “evidence” that the viewer has that particular condition or needs to see a specialist – which opens the door for HIPAA violations. To protect PHI, healthcare organizations need one or more of the following safeguards:
- Server-side protection with built-in video encryption
- Transition your video embeds to YouTube’s Privacy Enhanced Mode (which means no one’s data will be stored unless and until they interact with a video)
- Remove embeds in favor of providing direct links to videos (which avoids having video view information shared from your website)
Additional Web Security Measures
Beyond managing tracking technologies, healthcare websites should prioritize security measures to protect all forms of personally identifiable information (PII). Encrypting your online form submissions with a tool like LuxSci Forms is a smart added measure, as is two-factor authentication (2FA) and modifying admin permissions to reduce the risk of unauthorized access.
Where to Go from Here: Developing an Action Plan
Feeling overwhelmed by what it takes to ensure compliance and avoid costly data breaches? If so, you are not alone – it’s a complex matter that must be handled correctly at every turn. We recommend partnering with our digital marketing experts for strong security and peace of mind. But if you want or need to lead your own charge, begin by thoughtfully auditing your current processes. For example:
- What tools are integrated with the website and what information is being shared?
- Have all applicable vendors signed a Business Associate Agreement with you that governs their use of PHI/PII?
- What information is being collected on your website?
- Do you have videos embedded on the website?
- Do you have a map tool integrated with the website?
Once potential vulnerabilities are identified, create a detailed action plan to enhance compliance and security. It is crucial to establish clear timelines for implementation to prevent new threats and guarantee the ongoing protection of patient data.
Partnering with the Experts
The evolving demands of web privacy and security can be challenging for busy marketers to keep track of, let alone ensure compliance at every step. As a digital marketing agency specializing in healthcare, we understand how crucial it is to keep patient data secure. That’s why we partner with Freshpaint to provide privacy-first digital marketing. To learn more, contact us today.