Is Your Healthcare Website HIPAA Compliant?

Many healthcare firms are wondering if their websites are HIPAA compliant after HHS issued new guidance in December 2022. These new rules apply to websites using scripts from third party technology firms to track user behaviors and protected health information.

In October 2023, the American Hospital Association (AHA) and some in Congress called for HHS to drop the new rules as being too burdensome on medical organizations, which they claim may also harm the public who benefits from aggregated public health reporting and research. In November, the AHA with others filed a lawsuit to stop HHS from implementing the new rules.

This leaves us with a lot of complexity and misunderstanding on how to navigate HIPAA rules in digital information display for healthcare. But, it’s possible with the right knowledge and technical support, any healthcare provider can have both a successful and compliant website and promotional program. Regardless of the latest rule chanes on data collection, it’s just smart to have a periodic website audit for HIPAA compliance.

Before we talk about how to ensure a HIPAA compliant healthcare digital marketing program, let’s get a basic understanding of the terms and provisions on the subject of patient privacy.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed in 1996 with dual goals; make health care delivery more efficient and increase the number of Americans with health insurance coverage. 

Three main provisions of the act include medical records portability, tax implications, and administrative simplification. That last item seems like an oxymoron regarding government regulations, but it’s the third provision that deals with the standardization of electronic health records and corresponding Privacy Rules that dictate how providers handle protected health information (PHI).

What’s the Health Information Privacy Rule?

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) was issued by HHS a decade ago to outline regulations around the uses and disclosures of individual identifiable health information (IIHI) by organizations called “covered entities” who are subject to the Privacy Rule. These covered entities are responsible for the patient’s privacy and include health insurance plans, health care clearinghouses, and any health care provider, plus their business associates (third parties) using this information to perform services on behalf of the covered entities.

The Privacy Rule also lays out standards for individuals’ privacy rights so people fully understand and control how a covered entity is using their health information and regarding any disclosures, including marketing, of that information.

HHS – The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). Individually identifiable health information (IIHI) is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Individually identifiable health information includes many common identifiers (e.g., name, address, birthdate, Social Security Number).

How Does HIPAA Relate to Healthcare Marketing?

The HHS Privacy Rule defines the term “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 

Marketing activities require prior patient consent when a covered entity sells or transfers for any reason an individual’s PHI to a third party for that third party’s “marketing” purposes.

Typical examples of marketing that requires prior consent include:

  • A hospital offers information to a cardiac facility (not part of the hospital) and the cardiac facility emails the patient about an optional baseline EKG for $39 when that communication is not part of the treatment plan.
  • A health insurance plan sells a list of its members to a company that sells blood glucose monitors, which subsequently sends the plan’s members brochures on the benefits of purchasing and using the monitors. 
  • A doctor provides their patient list to pharmaceutical companies for those companies’ drug promotions.
  • An OB/GYN or hospital sells the names of pregnant individuals or those that just had a baby to formula or diaper distributors, or magazine solicitors.

What is Not Considered Healthcare “Marketing”?

HHS does NOT consider in their definition of “marketing” the normal operational communications by a covered entity with an individual about that person’s health and care services, insurance reimbursement plans, and payments for services, or communications with another “covered entity” about that person’s individual treatment and care. 

Communication with patients by covered entities might include verbal discussion, clinic lobby materials, nominal gifts (like at a front counter), promotional or free medical items, emails, postcards, or first class letters. There are, however, specific privacy rules to follow when using postcards, letters, and email to ensure the patient’s health information is protected. More on HIPAA email communications.

Understanding New HIPAA Guidelines for Healthcare Websites

Now we’re hitting on the hot topic and new HHS guidelines for digital data collection. 

HHS 12/1/22 – Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. 

Data Tracking – Almost all healthcare providers have a website that provides information on their care services, locations, provider names, and in some cases fillable healthcare forms and links to a patient portal. Digital tracking technology uses scripts or code on a website or mobile app to gather digital information about users as they interact with the website or mobile app.

This data collection is almost always transferred to a third party technology company and used by that company for other digital tracking and promotional purposes. 

New HIPAA compliance rules expand on the digital capture and transferring of “individually identifiable health information (IIHI)” or “private healthcare information (PHI)” from these data scripts on the website. Some common examples of third party data company scripts (cookies) are Google Analytics, Meta Pixel, Social Media Sharing Codes, YouTube embedded video, and advertising IDS (AAID’s and IDFA’s).

All third parties that receive PHI to support the operations of a covered entity must have business associate agreements (BAA) to comply with privacy rules. The problem comes when those digital third parties are not HIPAA compliant and don’t sign BAAs. Here’s Google’s explanation of their lack of HIPAA compliance.

So, the main question is this – does your healthcare website track and transfer protected healthcare information (PHI) to a non-BAA entity? It’s certainly possible. So, how do you know?

To better understand whether a site is in compliance, it’s important to identify the difference between user-authenticated web pages and unauthenticated web pages.

Data Tracking on User-Authenticated Web Pages

User-authenticated web pages are those that require log in or sign in functions for users to access to view their medical records, message providers, or see healthcare beneficiary information. This personal medical information is PHI and must be in compliance with privacy rules. Most sites utilize electronic health records (EHR) management software through third parties and it’s assumed they are HIPAA compliant and not using analytics data tracking scripts. But the healthcare provider is responsible for that compliance and getting a business associate agreement (BAA). There have been case of EHR systems and entities not being in compliant.

Data Tracking on Unauthenticated Web Pages

Unauthenticated web pages do not require a login to access, and are typical of sites that describe their general care services, location of clinics, names and photos of care providers, clinic policies and other general information. Prior to recent rules, these web pages don’t appear to include individuals’ PHI nor require a login to view the page and we’ve assumed are not subject to HIPAA. Look at the new rules.

HHS Direction with the New Rules: Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.

Hold on….There is a question with the new ruling above as to whether the metadata collected on users viewing general info pages includes “individual identifiable health information”, which may include the IP address of the user and the content they are viewing. Meta (Facebook,) LinkedIn, Google, and other data companies can match a user’s IP address with other stored personal information, including name, email address, and phone numbers.

New Guidelines Define Protected Health Information

Most of us understand that individual identifiable information can be tracked from a form, login field, or within medical records, as mentioned above. But, the most confusing part of the new guidance from HHS deals with users searching for specific medical conditions, or clinic information like location, or billing policies on a general information, unauthenticated web page. Read this description.

HHS New Rules Referring Tracking Technologies: This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.

The recent HHS controversy comes down to how the new rules equate IIHI with PHI, which states that even if the individual does not have an existing relationship with the covered entity, nor does the information include specific treatment or billing information, it’s still considered PHI. 

The thinking by HHS seems to be that when an individual is seeking general or specific information about medical care or a potential appointment, it’s automatically connected to the regulated entity, and therefore, it’s indicative the person has received in the past, or will receive healthcare services in the future.

Other Potential Problem Areas

Embedded Login Fields…Many websites embed their patient portal login fields in the top navigation of the site or on a general web page. Those pages are collecting a patient’s PHI with their login information.

Contact Us Forms…A web page that includes a “contact us” or “schedule a consultation” form is collecting name, address, phone, or symptoms, which is IIHI or PHI, according to new rules.

How to Ensure Your Healthcare Website is Compliant

Since every healthcare provider must comply with HIPAA, it’s important for their digital presence to be in compliance. While the subject is complex, you have good choices in moving forward.

Seek Alternatives to Third Party Tracking

  • Update Website Content to be Compliant
  • Use HIPAA Compliant First Party Tracking Software
  • Use HIPAA Compliant Web Servers
  • Focus Promotional Efforts on Relevant Website Content
  • Optimize Content for Search Engines (SEO)
  • Use Predictive Audience Advertising
  • Use Seller Defined Audience Advertising
  • Advertise in Contextual Spaces
  • Use Double Opt In Subscription Email Marketing Campaigns

Pineapple Digital has two decades of experience working with healthcare providers and can help you with your decisions.

Book an appointment for a FREE website audit and consider your options.

Schedule a Free Consultation