Approximately three in five organizations, including a wide range of direct-to-consumer healthcare companies, use data analytics to drive innovation.

If you work in the DTC healthcare field, you likely use some kind of tracking and analytics tool to run your business more efficiently. You may also be concerned about remaining compliant with the latest regulations (including the Health Insurance Portability and Accountability Act or HIPAA regulations) while utilizing these tools.

Healthcare organizations are (understandably) worried about regulatory compliance in regard to data tracking and analytics—especially in this era. That’s why we compiled an in-depth guide to help you understand best practices.

Please note that nothing in this guide should be taken as legal advice. We are simply sharing recommendations based on the latest guidance from the Office for Civil Rights (OCR), as well as what general councils of some of our healthcare clients have suggested.

‍

The State of Data Tracking for Healthcare Companies

The majority of healthcare organizations use some kind of tracking technology. At the same time, many healthcare organizations have recently come under fire for improper and non-compliant data tracking and analytics practices.

The following are just a few of the latest examples of legal action that have been waged against DTC healthcare organizations:

• Online counseling service BetterHelp agreed to pay $7.8 million to customers in a settlement with the Federal Trade Commission after sharing health data it promised to keep private.
• The Federal Trade Commission charged the online telemedicine platform GoodRx for failing to notify customers and regulators of unauthorized consumers' personal health information disclosures, resulting in GoodRx agreeing to pay a $1.5 million civil penalty.
• The Federal Trade Commission penalized genetic testing firm 1Health.io for not properly securing users’ genetic data, deceiving consumers about their ability to have sensitive data deleted, and retroactively changing its privacy policy.

Many healthcare organizations have been held accountable for misusing patient and client data over the last few years, and it seems safe to say that there will be more accountability in the future—particularly when it comes to HIPAA-compliant analytics and tracking. We feel that it’s so important to discuss the latest rules and guidelines and offer insights about how you can ensure compliance.

‍

The Latest Changes in Healthcare Tracking Guidance

Naturally, with the rise in lawsuits filed against direct-to-consumer healthcare companies, many changes have occurred around the country’s healthcare tracking rules and regulations. One of the most noteworthy changes is the issuance of new guidance from the OCR (Office for Civil Rights) at HHS (U.S. Department of Health and Human Services).

The new guidelines, which are titled “Use of Online Tracking Technologies by HIPAA-Covered Entities and Business Associates,” answer the following questions:

‍

What Is a Tracking Technology?

This guidance defines tracking technology as a script or code on a website or app that is used to gather information about users when they engage with the site or app.

After information gets collected, it is analyzed by website or app owners (or third-party organizations) to establish insights about users’ online activities.

These insights can be used to enhance the user experience (or patient/client experience in healthcare settings). However, they can also be misused to spread misinformation or promote nefarious activities like harassment, identity theft, and stalking.

Websites and apps—including DTC healthcare websites and apps—use a variety of tracking tools and technologies. For example, websites typically use tracking pixels, cookies, fingerprinting scripts, and session relay scripts. Conversely, mobile apps include/embed tracking codes. They can also use unique identifiers, such as device IDs, to create profiles for each app user.

Website and mobile app owners can use tracking technologies that were developed internally or by a third party organization (also known as tracking technology vendors). When using third party tracking technologies, information typically gets sent to the party that developed the technology.

‍

How Do HIPAA Rules Apply to Healthcare Providers’ Tracking Technology Use?

Regulated entities (i.e., healthcare providers that electronically transmit healthcare information) disclose a wide range of information to vendors through technologies placed on the entities’ websites or apps—including individually identifiable health information (IIHI), which the individual provides when they use the entity’s website or app.

Examples of IIHI could include:

• Home or email addresses
• Dates of appointments
• Medical record numbers
• Individual IP addresses or geographic locations
• Medical device IDs and other unique identifying codes

According to HIPAA rules, all IIHI that is collected on a regulated entity’s website or app is generally considered protected health information (PHI). This is the case even when an individual doesn’t have an existing relationship with the entity, and even if the IIHI does not include specific treatment or billing details (dates, types of services administered, etc.).

All of this data is considered PHI because it connects an individual to a regulated entity. It indicates that the individual either has received, or will receive, services or benefits from that organization. As such, it relates to that person’s past, present, or future health, healthcare, or payment for healthcare.

‍

Tracking on User-Authenticated Web Pages

Healthcare providers and other regulated entities may have user-authenticated web pages. These pages require users to log in before they can access the page. Examples include patient & health plan beneficiary portals or tele-health platforms.

Tracking technologies on user-authenticated web pages typically have access to PHI, including IP addresses, medical record numbers, home or email addresses, and dates of appointments.

Because tracking technologies within user-authenticated web pages have access to protected health information, regulated entities must configure them so that they only use and disclose PHI in compliance with the HIPAA Privacy Rule. They must also ensure that the electronic protected health information (ePHI), which is collected through the website, is protected and secured according to the HIPAA Security Rule.

Remember that tracking technology vendors are also considered business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (such as healthcare operations) or provide certain services that involve the disclosure of PHI.

In these situations, healthcare providers and other entities must ensure disclosures made to tracking technology vendors are permitted by the Privacy Rule. They must also enter into a business associate agreement (BAA) to ensure that PHI is protected in accordance with the HIPAA rules.

Let’s say an individual makes an appointment through the website of a covered health clinic, and that website uses third-party tracking technologies. The website might automatically transmit information about the appointment, as well as the individual’s IP address, to a third party. In this case, the third party is considered a business associate. Therefore, a BAA is required.

‍

Tracking on Unauthenticated Web Pages

Healthcare providers and other regulated entities may also have unauthenticated web pages. These are web pages that do not require users to log in before accessing the page, i.e., web pages with general information about the entity, such as its location, services provided, or policies and procedures.

Tracking technologies on unauthenticated web pages generally do not have access to individuals’ PHI. Because of this, HIPAA rules do not regulate the entity’s use of such tracking technologies in most cases.

However, in some cases, tracking technologies on unauthenticated web pages may have access to PHI. In these cases, HIPAA rules apply.

The login page of a regulated entity’s patient portal is typically unauthenticated because the individual did not provide credentials to navigate to it. However, if the individual enters credential information, that information is considered PHI.

‍

Tracking Within Mobile Apps

Some regulated entities offer mobile apps to schedule appointments, pay bills, etc. These apps collect a wide range of information, including fingerprints, network locations, and device IDs. All of this information is considered PHI, meaning the organization must comply with HIPAA’s rules.

On the other hand, HIPAA rules do not apply to or protect information users voluntarily download or enter into apps that aren’t developed by, or on behalf of, a regulated entity.

For example, say a person enters information from their medical records into another app not regulated by HIPAA. Even though they’re using personal information from medical records, it’s voluntarily being entered into a different, non-regulated app.

It’s important to keep in mind that even in situations where HIPAA rules do not apply, other laws might, such as the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR). These rules might apply in situations where a mobile health app discloses a user’s health information without their permission.

‍

What Are the HIPAA Compliance Responsibilities for Organizations that Use Tracking Technologies?

Regulated entities must comply with the HIPAA Rules whenever they use tracking technologies with access to PHI. The following are examples of the HIPAA Privacy, Security, and Breach Notification requirements that healthcare providers and other regulated entities must meet:

• They must ensure that all disclosures of PHI to third parties are permitted explicitly by the Privacy Rule. Unless an exception applies, only the minimum necessary PHI should be disclosed to achieve the intended purpose.
• They must establish a BAA with a tracking technology vendor that aligns with the definition of a “business associate.”
• They must address the use of tracking technologies in the organization’s Risk Analysis and Risk Management processes and implement other administrative, physical, and technical safeguards in accordance with the Security Rule to protect the ePHI.
• They must provide breach notifications to affected individuals (as well as the HHS Secretary and the media) of the impermissible disclosure of PHI to a tracking technology vendor.

‍

Key Takeaways

This is a lot of information to take in, but it’s critical to your organization’s success and compliance.

Here are some of the most important takeaways to keep in mind:

• The guidelines provide additional clarification on what counts as identifiable information under HIPAA.
• For example, the new guidance posits that IP addresses are considered individually identifiable health information (IIHI). Furthermore, tracking on user-authenticated web pages and screens is considered electronic protected health information (ePHI).
• Login pages and screens also fall under HIPAA, as do lead-generation pages that are symptom-specific.

‍

Best Practices for Tracking & Analytics for Healthcare Companies

Let’s get into the best practices that organizations like yours should follow to ensure compliance with the latest guidelines and regulations. Keep these in mind as you begin making adjustments to your tracking and analytics protocols:

‍

Use a Customer Data Platform

A Customer Data Platform, or CDP, is a software solution that combines data from multiple tools and uses it to create a centralized database.

This database contains the data on all touchpoints and interactions with your company’s product or service. You can then segment the database in a variety of ways to make marketing campaigns more personalized.

If you aren’t already doing it, consider using a CDP as the primary source of event streams. Separate the source for front-end and back-end events too, and feed equivalent funnel events from both the frontend and backend. Our healthcare clients commonly use Segment, RudderStack, or Freshpaint as their CDP of choice.

‍

Using a CDP, you can ensure to track information about customers as they go through your funnel on both frontend (website, mobile app) and backend of your application, and then route information to external analytics tools and ad networks. The diagram below show how data would flow in such a tracking stack:

‍

‍

What to Look For in a Customer Data Platform

You understand the benefits of a customer data platform, but how do you choose the most suitable one for your organization? Here are some tips to help you make the right decision:

• Establish a buying committee that consists of representatives from all departments that will regularly use the CDP such as sales, marketing, and customer service/success. A diverse buying committee helps to prevent departmental silos and encourages better collaboration across all team members.
• Establish priorities—in other words, what matters most to you and your team? In most cases, top priorities include data security and compliance, integration with existing tools, and workflow customization features.
• Establish essential features like online and offline data storage, reporting, analytics, and machine learning. Consider which features are must-haves and which are merely nice-to-haves.
• Read reviews—check out reviews from past and current users to see what they like and dislike about a particular platform.

Remember to look beyond the price tag when picking a customer data platform. It’s generally worthwhile to spend a little more to get a tool that works better for your team, protects valuable data, and helps you accomplish your goals.

Utilize Analytics and Ad Network Integrations

It’s also a good idea to pass data to specific analytics tools and ad networks through your customer data platform. That’s why it’s so important to select a platform that integrates with your existing tech stack.

Remember to send both front-end and back-end versions of events to ad networks and send back-end events only to analytics tools outside of anonymized pages.

Establish Business Associate Agreements

Business Associate Agreements (BAAs) are agreements you can make with other companies to ensure you can work with them. These agreements make those companies responsible for handling PHI.

Whenever possible, it’s best to establish BAAs. Still, keep in mind that not all vendors and organizations will sign BAAs.

Here’s a short list of vendors that will sign BAAs with you at the time of writing:

• Segment
• RudderStack
• Freshpaint
• Amplitude
• Snowflake
• BigQuery

Meanwhile, these are vendors that will not sign BAAs with you today:

• Google Analytics / Google Ads
• Meta Ads
• TikTok Ads
• Bing Ads

Most other analytics tools and ad networks also fall under this umbrella.

‍

Edit Your Tracking Protocols

You may also need to make some changes to your tracking protocols—both when it comes to PII and PHI, as well as IP addresses.

PII and PHI

The first change you may need to make has to do with advanced matching.

Ad networks will sometimes use advanced matching, which typically involves consuming PII. Back-end conversion APIs often require PII for better matching, too.

If your organization employs tools that use advanced matching, it’s time to disable. Use anonymous IDs instead to help with network attribution. For example, you could use external_id for Meta’s Conversions API.

You should also make changes when it comes to microdata control. Some analytics tools and ad networks will automatically consume microdata, meaning they may pick up PII or PHI by accident. Turning off automatic tracking helps to prevent this issue.

IP Addresses

At this point, it’s unclear if IP addresses by themselves fall under HIPAA. However, front-end tracking pixels do have access to IP addresses because all requests go through the transmission control protocol from the user’s browser and include the user’s IP address.

Put simply, even if IP addresses aren’t being stored, they’re still being received, which can be problematic. As a result, you run the risk of being in a gray area.

To circumvent this problem, we recommend moving all tracking to the backend as much as possible. Don’t include IP addresses in back-end API calls either.

Events

Named events, such as appointments scheduled, might be considered PHI. The same goes for symptom pages and their metadata.

Obscuring event names can help you avoid accidentally sharing sensitive information. You may also want to consider not sending some or all front-end events, just to be safe.

Metadata on user-authenticated pages might also be considered PHI because front-end pixels automatically track a lot of information. Consider moving tracking to the backend and be strict about metadata sent via APIs.

‍

Potential Tracking Stack Options

Do you need additional support when it comes to updating your tracking and analytics stack? The right tracking stack can make all the difference.

Here are two options to consider (along with pros and cons for each one):

Option 1 (Strict)

Instead of tracking both from backend and frontend of your application, only track customer behavior from the backend:

‍

Pros

With a strict tracking stack like the one diagrammed above, you don’t have to worry about falling under any legal gray areas. You can trust that everything is above board and that you’re abiding by all data security and privacy rules, since you can have absolute control over what gets sent to analytics tools and ad networks. Frontend tracking pixels tend to track metadata that may be considered PII (e.g. IP Address or the URL of pages).

You can still build an internal attribution model can send selective conversion signals to ad networks, which can help with your optimization efforts.

Cons

Even though you still get some traction with ad networks, you will see worse platform attribution (i.e. ad networks being able to attribute purchases to ad impressions) overall when you choose a strict tracking stack.

This tracking stack also comes with more challenging technical implementations. For example, you will have to store click IDs for ad networks. You will also have to correctly pass on page view data from the backend to analytics tools.

You will also have to contend with the limited reach of networks. After all, not all analytics and ad networks can support conversions specific to the backend.

Option 2

Track frontend and backend events until the user authenticates, and then switch to backend only.

‍

Pros

With this alternative tracking stack, you can send richer conversion signals to ad networks (which helps platform attribution). In turn, these clearer signals allow for better optimization.

This stack also comes with a more straightforward technical implementation process, which is good for those who may be less technologically savvy.

Cons

The downside to this approach is that you may find yourself in a potential legal gray area. The more tracking that takes place on the frontend, the more you expose your technical stack to pixels tracking data that may fall under HIPPA protection.

‍

Final Thoughts

Tracking and analytics conversations are prevalent in the healthcare world right now—especially when it comes to DTC healthcare brands. With all these discussions taking place, it’s not surprising that so many organizations are concerned about their data management strategies and want to take extra steps to ensure they handle everything correctly.

The good news is that there are many steps you and your team can take when it comes to managing your data tracking and analytics processes. Follow the best practices shared in this guide to improve your existing protocols, ensure compliance, and avoid potential legal challenges moving forward.

Want to learn more about compliant data tracking & analytics, and how you can use data to make more informed marketing decisions in the future? Our team at Pearmill is here to help.

Contact us today to book an audit or schedule a call for more information.

‍