The following is a guest article by Michelle Berryman, FIDSA, Executive Creative Director at Hero Digital
Patient privacy is the foundation of our healthcare system. Ensuring trust in the confidentiality and security of sensitive health information enhances patient care effectiveness and puts individuals at ease to seek care.
However, the integration of digital technologies in healthcare introduces new challenges in privacy protection. While tracking technologies like cookies and pixels offer benefits in data gathering for improved user experience and analytics, they also pose risks to patient privacy, potentially exposing sensitive health information without explicit consent.
Recognizing these risks, the Office of Civil Rights at the U.S. Department of Health and Human Services has issued clear guidelines for HIPAA-covered entities. These guidelines emphasize the importance for healthcare organizations to regulate their use of digital tracking technologies to comply with HIPAA regulations, which set standards for protecting patient data through appropriate security measures against unauthorized access or disclosure.
For providers, ensuring regulatory compliance is crucial. I’ll outline steps they can take to navigate these challenges when it comes to their digital experience.
The Costs of Failing to Comply
The world of patient-tracking technologies in healthcare is fraught with significant risks, as evidenced by recent legal repercussions.
Since August 2022, the legal landscape has been increasingly challenging for healthcare providers utilizing third-party tracking technology. BakerHostetler, a legal firm, has documented more than 50 lawsuits targeting hospitals for improper use of third-party tracking technology. These legal actions often stem from the discovery that tracking technologies were transmitting sensitive patient data to large tech firms, including Meta and Google, without appropriate consent.
To cite one example, several Louisiana hospitals, including major healthcare networks like LCMC Health Systems and Willis-Knighton Health System, are facing class action lawsuits due to online tracking technologies, such as pixels, that may have shared protected health information without consent.
Another vivid and personal example of these risks was experienced by one of my clients. The potential for violation was so alarming that they made the decision to completely disable their site analytics. This drastic step was taken to mitigate the risk until we could provide a solution, which came in the form of implementing a HIPAA-compliant setup using Adobe Customer Journey Analytics combined with Health Shield. We made sure their analytics practices were both safe and compliant.
Tech companies are a big part of the story. Meta is facing an ongoing lawsuit for allegedly scraping health data from hundreds of hospital websites with its Meta Pixel Helper, which is used by thirty-three of the top 100 hospitals in the U.S. The allegations included the unauthorized collection of highly sensitive protected health information (PHI) such as medical conditions and appointment details, which were linked to users’ unique IP addresses.
Accessibility is another issue to weigh carefully. In March, the Department of Health and Human Services (HHS) emphasized the importance of language services in healthcare access and outcomes, highlighting the necessity for states to meet the language needs of their communities.
The review was initiated in response to allegations that individuals with limited English proficiency in 19 states were not provided meaningful language access to COVID-19 services, in violation of Title VI of the Civil Rights Act of 1964. Over 10,900 state agencies and their subrecipients received technical assistance letters and training materials to remind them of their obligations under Title VI.
The importance of patient convenience, experience, and security will only grow in the coming years. The question is, how can it be done while protecting patient data and preserving the digital experience between patient and provider?
Analyzing Third-Party Vendors and Digital Solution Options
In light of the HIPAA regulations, healthcare providers are urged to partner exclusively with third-party analytics vendors boasting established compliance records with privacy regulations, and it’s essential to confirm vendors’ possession of Business Associate Agreements (BAAs), which ensures adherence to HIPAA rules.
This adherence empowers providers to utilize data analytics effectively, improving patient care, operational efficiency, and decision-making while staying compliant with the latest regulations from the Department of Health and Human Services (HHS). This approach helps organizations navigate regulatory changes and foster a culture of privacy and trust within the healthcare sector.
Google and Adobe are the most commonly used analytics platforms.
In the past, Google Analytics was not advisable for most providers due to Google’s refusal to engage in a BAA, thereby contravening regulations delineated in the original HHS bulletin. However, in the latest bulletin, the HHS clarifies their stance. Providers can use Google Analytics if they sign a BAA with a vendor to ensure data will be properly safeguarded before sending it to Google.
If you don’t sign a BAA, using Google Analytics comes with big risks. Under certain conditions, the most recent bulletin explains, tracking technologies used on a regulated entity’s webpage can access personal health information. This applies to pages that allow people to schedule appointments or use a symptom-checker tool without entering credentials.
This is another area to be worried about if you’re using Google. Why? It’s critical that whatever anonymized data is sent cannot be, through creative means, tied back to an individual’s past, present, or future health, healthcare, or payment for healthcare.
Adobe Analytics does not inherently comply with HIPAA standards. Nevertheless, Adobe offers HIPAA-ready services like Healthcare Shield, incorporating a real-time customer data platform. These services involve additional costs and necessitate a BAA between Adobe and the customer.
Beyond these two, there are numerous HIPAA-ready solutions, such as Mixpanel, Plausible, Freshpaint, and Piwik Pro, which offer diverse features and compliance levels.
- Mixpanel delivers robust reporting and data visualization.
- Plausible stands as an open-source, self-hosted alternative.
- Freshpaint guarantees HIPAA compliance throughout its entire technological infrastructure, enabling clients to persist with Google Analytics usage.
- Piwik Pro adheres to all privacy regulations, including HIPAA, and provides varied data storage options.
Getting with your legal and compliance teams to talk through the best fit for your organization is always a recommended best practice.
Next Steps for Providers Wanting to Ensure Compliance and Data Security
It’s essential for healthcare companies to recognize that navigating this intricate and ever-changing landscape alone is not necessary. Adopting a proactive stance tends to prove to be the more successful strategy.
Given the complexity of healthcare regulations and the evolving nature of digital threats, it may be wise to consult with a digital experience agency with a track record of working with healthcare organizations. A tailored, expert-driven approach can help ensure that your organization not only meets current regulatory standards but is also prepared for future challenges.
Choosing the right partner is a significant decision given the potential legal consequences of non-compliance, so it’s crucial to evaluate your options carefully. Agencies such as Hero Digital can help implement tracking changes or full-scale implementations with your organization and legal teams.
With your security locked down, decision-makers are free to invest in and focus on improving overall digital experiences. Enhanced digital experiences lead to more accessible patient services and, ultimately, superior patient outcomes.
By securing patient data and ensuring compliance, healthcare providers can concentrate on what truly matters—delivering exceptional patient care without the constant worry over data privacy issues.
About Michelle Berryman
Michelle Berryman, FIDSA, serves as the Executive Creative Director at Hero Digital. Michelle has over two decades of experience as a User Experience Designer and Digital Strategist with a significant background in industrial design, user-centered design, research, innovation, experience strategy, and brand management. She believes in the power and elegance of simplicity and that interactions should be authentic, meaningful, and pleasurable. She strives to make an emotional connection with users by eliciting desire and delight with the interfaces she designs. In 2015, she was named one of the Top 50 Industrial Designers of the last 50 years by the Industrial Designers Society of America. Her specialties include Digital Strategy, Innovation, Interaction Design, User Experience, Information Architecture, User Research, Corporate Identity, Project Management, Business Development & Emerging Technologies. When she’s not designing, she can be found traveling the world, camera in hand, looking for beauty, inspiration, and fresh perspectives.
Add Comment