Last year on December 1st the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin on requirements on requires under HIPAA for online tracking respective of protecting the privacy and security of health information. OCR was concerned about the possibility of impermissible disclosures of electronic protected health information (ePHI) with online tracking vendors in a manner that would violate HIPAA. OCR called out the Meta Pixel and Google Analytics specifically.
Google responded by reminding that to protect user privacy, Google Analytics policies and terms mandate that no data be passed to Google that Google could recognize as personally identifiable information and no data collected using Google Analytics may reveal any sensitive information about a user or identify them. This has been Google Analytics terms of service from the start.
The American Hospital Association also responded on May 22nd to OCR stating that OCR should suspend or amend its December 2022 tracking guidance. “Regrettably, the Online Tracking Guidance errs by defining PHI too broadly — specifically, to include all IP addresses. As a result, the guidance will inadvertently impair access to credible health information. It should be suspended or amended immediately.” The AHA described how hospitals use analytics to optimize their online presence to reach more members of the community, including those who are in need certain healthcare information. The AHA feels OCR’s guidance will limit access to quality care by “impairing the ability of health systems to understand and predict the real demand for services in their communities."
Prior to AHA’s response many hospital marketers took OCR’s bulletin to mean that Google Analytics should not be used on their website. With Google Analytics affirming that they will not sign a Business Associates Agreement (BAA) these marketers have taken actions that include removing Google’s Universal Analytics completely from their site. Some have only left GA on their employment portal. These marketers are seeking alternative analytics solutions from vendors such as Adobe, PiWikPro, Mamoto and Mixpanel to name a few.
OCR’s discussion of IP addresses failed to consider points that AHA raised where many hospitals have anonymized the IP address that is sent to Google. OCR also did not consider that with Google’s deprecation Universal Analytics on July 1st, their GA4 platform does not process or store IP addresses at all.
July 1st is also another important date to remember as it is when additional states privacy legislation comes into effect. Specifically, Colorado and Connecticut will join California, Utah, and Virginia with set legislation requirements for businesses that operate in or have users from these states. One central theme is that consumers have the right to opt-out of profiling and targeted advertising as well as having the right to access data that organizations have on them and a right to request deletion of the data. This is very similar to GDPR requirements. While some US marketers have complied with GDPR’s directive that all users must provide explicit permission prior to any cookies being sent to their browser, many have naively thought that a simple static cookie banner will provide adequate notice; unfortunately, it does not.
There are expanding US requirements beyond consumer rights. These include requirements such as:
- Data Discovery & Mapping
- Consumer & Employee Rights Requests
- Opt-Out of Sales of Personal Information
- Opt-Out of Share for Behavioral Advertising
- Data Retention & Minimization Principals
- Third-Party Risk Management
- Consent Management
- Limit Use of Sensitive Personal Information (SPI)
- Transparent Policies & Notice
- Privacy Impact / Risk Assessments
- Annual Cybersecurity Audits
- Breach Notification Requirements
Suggested actions for all marketers:
- In some instances, it’s still okay for healthcare organizations to stick with Google Analytics. Check with your privacy team. And if not, here are 3 partners / vendors I really like instead: PiWik Pro, Mamoto, Adobe
- Audit your analytics property for possible PHI data
- Audit your website for possible PHI leaks – this should not be a one and done practice
- Audit your analytics for user visits from the European Economic Area countries to determine GDPR requirements compliance
- Update any static cookie notification banner to a managed consent solution
- Review CCPA, CPRA, CPA, CTDPA, UCPA, CDPA territorial scope and application threshold to determine if these state’s privacy laws apply
- Conduct data discovery with your IT department to map where all user data is currently being retained as well as who has access to this data – internal employees and external partners.
This space is fast evolving so don’t go it alone. Reach out to Primacy with any privacy and tracking-related questions.
Disclaimer – Primacy does not provide legal advice.