HIPAA says, “Don’t Google it.”  

For years, healthcare organizations have worked behind the scenes, utilizing platforms like Google Analytics, to collect and analyze data about their patients. In fact, Becker’s has reported this:

“Google’s code, which is present on 94 percent of healthcare provider websites, tracked, collected and monetized patients’ health information, violating federal, state and common law.”

– Becker’s

Violations and regulations aside, it’s easy to understand why these platforms and practices were put into place. After all, website analytics can be used to:

  • More effectively target marketing efforts and optimize for lead generation.
  • Monitor user behavior and retarget to specific audiences.
  • Analyze media mix models and calculate ROI.

Long story short, removing analytics from the equation creates less visibility – impacting both your business decisions and marketing efforts.

The third party has entered the chat.

HIPAA-compliance and patient approval are far from new. But with more third-party integration and more complex tagging and tracking, the vulnerability of patient data has only increased. An HHS bulletin from December 2022 states, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

what is a hipaa violation infographic

Protected health information (PHI) is individually identifiable health information. As more protective policies are put into place, the following would be considered a potential exposure of PHI.

  • Using find-a-doctor tools.
  • Viewing doctor profile pages.
  • Viewing service-line-specific content.
  • Scheduling an appointment.

Why does this increased regulation matter?

While we’ve already demonstrated the impacts this will have on your media and engagement strategies, this tighter lockdown on data will need to be evaluated throughout your organization.

Disclosing PHI in a manner consistent with HIPAA will gain a higher level of significance. And if you don’t think your patients are paying attention, think again. They are becoming increasingly aware of their legal rights surrounding data security and will be looking for organizations they can trust with their privacy.

infographic for how to be hipaa compliant

So, Google is out. Now what?

At MBB, we are actively partnering with the 4A’s, who have a committee dedicated specifically to HIPAA-compliant healthcare analytics. While we continue to implement our learnings with them, we are also seeing new paths forward in terms of our approaches to determining campaign success.

  • Utilizing HIPAA-compliant solutions (some of which allow you to make Google Analytics HIPAA-compliant)
  • Creating unique CTAs driving to custom landing pages
  • Integrating more robustly within our clients’ own data
  • Real-time feedback regarding service-line volume increases
  • Adding analytics only on pages which do not relate to the provision of health care services

If your organization is ready to take the next logical step in finding a HIPAA-compliant analytics platform provider, one that will be covered under a Business Associates Agreement (BAA), MBB would be happy to assist you in your search. Together, we can outline the requirements needed for a successful implementation.


Subscribe to our newsletter

Get our insights and perspectives delivered to your inbox.