When was the last time you looked at your Google Analytics? Maybe you’re one of those people that has to look at them every day–comparing your traffic to the previous week, month, or year? Or maybe you look at your analytics information once a month (we admire your willpower) or once a quarter. Heck, maybe you never even think about your Google Analytics information.
Well, it might be time to start–at least a little bit. That’s because the United States Department of Health and Human Services (or HHS if you want to save a bit of time) has released a new statement concerning how website tracking services relate to HIPAA.
Not to worry, though! We’re here to walk you through what this means, what (if anything) you need to do, and how to keep protecting your patients’ privacy.
What Do You Need to Know About HIPAA and Analytics?
The entire purpose of HIPAA is to help protect what’s known as individually identifiable health information (IIHI) and protected health information (PHI). The new rules state that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosure of PHI to tracking vendors or any other violations of the HIPAA rules.”
In other words, you can’t let Google know that Sally booked an appointment for a hearing aid–even if that’s data that you never see.
Collecting Data for SEO
This requires a little bit of finesse and thoughtfulness when it comes to running your marketing campaign. Because you need to collect some data. Any audiology SEO campaign worth its salt means obtaining insights on website performance via the use of tracking technologies. Those technologies could include:
- Google Analytics
- Meta Pixel (for Facebook, Instagram, etc.)
- On-site Cookies
- And more
If not implemented properly, all of these technologies run the risk of violating HIPAA rules. That’s not what you want for your audiology practice! At MedPB, we help you make sure that your data tracking and analytics technologies stay compliant.
What Does Compliance Mean?
Clearly, we don’t recommend that any data analytics or tracking technology be set up in such a way that it violates HIPAA. But… what does that actually look like in practice? One example at MedPB is that we make sure Google Analytics and Meta Pixel are only used to track pageviews and not gather other identifiable data from web users.
Luckily, the Office of Civil Rights (OCR) provides a bit of guidance to help you make sure you’re staying compliant.
Pages that require HIPAA compliance:
- Pages that require a log-in or feature PHI such as name, email address, diagnosis, or prescription medication are all covered under this HIPAA rule. (This means you should absolutely be very careful with any tracking on these pages.)
- Pages that do not require a log-in, but do make use of PHI are covered under HIPAA guidelines. This could include pages such as login pages, online appointment request forms, pages where email addresses are captured and so on.
- Webpages that cover specific services or conditions that can be linked back to a patient’s IP address.
Pages that do not require HIPAA Compliance:
- Pages that do not require a log-in or PHI (such as general practice information, services, audiologist bios, and so on) are typically not covered by HIPAA regulations.
This is not exhaustive, of course, but you get the idea. Any pages that ask patients to put in their personal information are covered; general-purpose pages are not. If you have a button that says, “click here if you have hearing loss,” that’s probably covered. You get the idea!
Does Google Make This Easier… or More Challenging?
The good news is that Google understands there’s an interest in protecting PHI under HIPAA. And they’ve released some guidelines to make things easier on folks like us!
To understand why this is necessary, it might be useful to take an example: most people will get to your audiology website by using Google and typing in something like “hearing aids near me.” Now, to provide a result, Google needs to know where you are! So, it used to track your IP address.
Unfortunately, anyone who got a hold of that IP address now knows you have hearing loss. So starting with Google Analytics 4, Google stopped tracking those IP addresses. (It can still use those IP addresses to populate search engine results, but it does not store them). So, in some ways, Google makes it easy to track pageviews without putting PHI at risk.
What Can Audiology Websites Track?
Audiology websites built and designed by MedPB do not employ tracking scripts known as cookies. In general, our websites collect data only on unauthenticated web pages (that is, those web pages that do not require a login of any kind). This is in line with HIPAA regulations.
However, there is a fine line here. If your web pages contain information on specific symptoms or treatments regarding a specific condition, you cannot collect the IP addresses of users visiting your website. If you do, those IP addresses become PHI, and you may have a problem.
This is likewise true on any forms you may have on specific pages. (That’s why MedPB forms are never set up to track information.)
So What Do We Track?
For MedPB audiology customers, most of our campaigns do not rely on retargeting methods that track users across websites. This means that our Google and Meta plans will almost always focus on keywords more than anything.
- For Facebook and Meta ads, we track only pageviews and do not capture or share any user-specific data.
- For Google, we prohibit the use of Google Tag Manager and Google Analytics within our HIPAA-compliant form builder. When we use Google Ad Campaigns, user-specific details are not collected or shared.
Simply put, none of our successful marketing strategies rely on this information. And by not collecting it, we provide you with an added layer of reassurance.
What Should You Be Doing?
There are a couple of things you can do to keep your audiology practice safe from unintentional HIPAA breaches. Some of the most common include the following:
- Regularly train your staff on HIPAA regulations and patient privacy (we know you know this, but it never hurts to reinforce this)
- Perform regular risk assessments and audits to help identify potential HIPAA issues.
- Regularly discuss HIPAA and privacy concerns with your marketing company. At MedPB, we are no strangers to these types of discussions!
At MedPB, we have dedicated team members who keep up with the latest privacy trends and possible changes made by third-party tracking providers, such as Google and Meta. We help make sure that your audiology website is in compliance–so it’s one less thing you need to worry about!
Not sure where your website stands? Schedule a free assessment with MedPB today–and make sure your audiology website isn’t putting patient data at risk.
Disclaimer: This blog post is not legal advice. MedPB provides growth solutions to audiology providers and does not provide legal advice. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney familiar in HIPAA Rules and Regulations.