Mastering HIPAA Website Compliance
hipaadigital.com
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland
On March 18th 2024 OCR updated its guidance on the use of tracking technologies
Many healthcare practitioners overlook a critical aspect of HIPAA compliance analytics tracking on their websites. And as of 18th March 2024 it's time to get serious about tracking software and plugins on your site.
Despite the good intentions of Healthcare Business owners, using analytics tools like Google Analytics, Adobe Analytics, or various plugins on platforms such as WIX, WordPress, or GoDaddy can inadvertently lead to non-compliance if not handled correctly.
It's important not to assume that your current developer or marketing contractors have ensured compliance in this area, especially if they haven’t signed a Business Associate Agreement with you.
But my website doesn't collect PHI
Often, we hear claims that “my website does not specifically collect PHI or ePHI” which is always worrying, because it's simply the Business Owner deciding what is, and what is not, ePHI
Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security HIPAA DIGITAL
Healthcare Website Compliance
HIPAA SEO
VISIT WEBSITE
HIPAA Digital Full Suite of Products to Make Your Website HIPAA Compliant
HIPAA Website
HIPAA Emails
HIPAA WordPress
HIPAA Marketing
HIPAA Hosting
HIPAA Analytics Business Associate Agreement
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland
HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security
For example
The analytics and server logs relating to a relative searching a website to find visiting times is obviously not ePHI, nor would be a user searching for a Job
Yet, by the same definition, it’s abundantly clear from HHS guidance that in some cases, analytics and server logs will constitute ePHI For example, a potential patient searching for information on specific medical conditions or treatments on a healthcare provider's website could easily generate ePHI if you know where to look, especially if this user visits the same page multiple times, leaving no doubt about their intentions.
So, unless you’re using very sophisticated page analytics segmentation silos on your website and can tell the intention of a website visitor 100% of the time, you now have a risk that needs to be mitigated.
VISIT WEBSITE
Mastering HIPAA Website Compliance hipaadigital.com
Compliance HIPAA Digital Full Suite of Products to Make Your Website HIPAA Compliant HIPAA Website HIPAA Emails HIPAA WordPress HIPAA Marketing HIPAA Hosting HIPAA Analytics Business Associate Agreement HIPAA SEO
Alexander Bentley-Sutherland
HIPAA DIGITAL Healthcare Website
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security
What does the most popular analytics software have to say?
Let’s take a look at what Google Analytics has to say about whether their data constitutes ePHI:
Google won’t sign a Business Associate Agreement for the use of Google Analytics
You must strip all PII/ PHI from data before sending it to GA4
Google uses all data within its systems to develop new services, improve existing offerings, and creates personalized advertising experiences, which is a breach of HIPAA’s Privacy Rule
Google stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services.
Covered entities cannot control where their patient data is stored, which is a HIPAA breach of accountability
Google Tag Manager’s use policy obliges you to respect Google Analytics’ terms of service and not share any personally identifiable information (PII) with Google.
VISIT WEBSITE
HIPAA Website Compliance hipaadigital.com
Mastering
HIPAA DIGITAL Healthcare Website Compliance HIPAA Digital Full Suite of Products to Make Your Website HIPAA Compliant HIPAA Website HIPAA Emails HIPAA WordPress HIPAA Marketing HIPAA Hosting HIPAA Analytics Business Associate Agreement HIPAA SEO
Alexander Bentley-Sutherland
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland
HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security
The Solution
Make sure that any PHI collected on your site is visible only to authorized personnel It’s important to educate them on the significance of maintaining the confidentiality of PHI and the potential consequences of violating HIPAA regulations.
Consider collecting less analytics data to minimize the risk of PHI exposure For example:
Don’t set PHI like email, device ID or phone as a user ID or custom dimension Instead, use a hashed version of these identifiers
Mask visitors’ IP addresses to two bytes. This will limit the location data to the country level and make the IP address incomplete HIPAA considers sub-state location data and IP address as PHI
Limit PHI sent in page URLs Sometimes URLs contain data like a doctor’s visit, date of visit, name of illness or other PHI that may be visible to unauthorized personnel.
VISIT WEBSITE
hipaadigital.com
Mastering HIPAA Website Compliance
HIPAA DIGITAL
Compliance HIPAA Digital Full Suite of Products to Make Your Website HIPAA Compliant HIPAA Website HIPAA Emails HIPAA WordPress HIPAA Marketing HIPAA Hosting HIPAA Analytics Business Associate Agreement HIPAA SEO
Alexander Bentley-Sutherland
Healthcare Website
Mastering HIPAA Website Compliance
hipaadigital.com
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security
Ensure that patient information is not included in your tracking URL
Make use of IP anonymization and ID masking tools Thus, all user IDs will be masked irreversibly, and GA and other analytics tools won't have access to the data.
Remove personally identifiable information (PII) from user-entered data on your form fields before sending it to Google Analytics This could require a review of your URL structure and data collection forms to remove or obfuscate any fields that may contain PHI
Adjust your Google Analytics account settings to disable data sharing with other Google services.
Google Analytics has settings that control how long user and event data are stored Limiting this period can help maintain HIPAA compliance
How HIPAA Digital can help
Switching over the management of your website to HIPAA Digital is easy and remarkably cost effective. We sign a Business Associate Agreement and switch your existing website over to our systems and HIPAA Compliant Hosting.
Healthcare Website Compliance
VISIT WEBSITE
Alexander Bentley-Sutherland
HIPAA DIGITAL
Digital Full Suite of Products to Make Your Website HIPAA Compliant
Website
Marketing
Agreement
HIPAA
HIPAA
HIPAA Emails HIPAA WordPress HIPAA
HIPAA Hosting HIPAA Analytics Business Associate
HIPAA SEO
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security
And with our Analytics add-on at just $39 p/m you get the peace of mind that your Analytics are Compliant, including:
ePHI Configuration of Analytics
First Party Data Protocols
Access Controls
Visitors’ IP Address Security
Server Log Compliance
IP anonymization and ID masking
Disabled data sharing
Regular Privacy and Security audits
Safe Tag Management System
Pixel Cleansing & Management
Alternatively
Consider what you actually use your analytics for If it's simply to see how many visitors you get and from what locations ask yourself how many times you've used this to make actionable business decisions. If it's never, then do you really need Analytics for the hassle that's about to come with it?
VISIT WEBSITE
HIPAA
Mastering
Website Compliance hipaadigital.com
DIGITAL
Digital Full Suite of Products to Make Your Website HIPAA Compliant HIPAA
WordPress
Marketing
Business Associate Agreement
Alexander Bentley-Sutherland
HIPAA
Healthcare Website Compliance HIPAA
Website HIPAA Emails HIPAA
HIPAA
HIPAA Hosting HIPAA Analytics
HIPAA SEO
HIPAA Non-Compliance in Website Analytics is now a Priority for OCR
Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security
With that said though, you'll still need to pay attention to those server side and plugin visitor logs that are set by default.
Key Takeaways
Assuming that a website doesn't collect PHI will lead to a false sense of security
The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) are the ultimate authorities when it comes to determining HIPAA compliance. Their interpretations and enforcement actions are what truly matter, not just a business owner's opinion or assessment of what constitutes PHI.
This is now an enforcement priority for OCR The best time to look at this is now Healthcare Practitioners need to understand what information is being collected by analytics software and plugins, whether it is covered by HIPAA, and then act based on that analysis.
VISIT WEBSITE
HIPAA
hipaadigital.com
Mastering
Website Compliance
HIPAA DIGITAL
Website Compliance HIPAA Digital Full Suite of Products to Make Your Website HIPAA Compliant HIPAA Website HIPAA Emails HIPAA WordPress HIPAA Marketing HIPAA Hosting HIPAA Analytics Business Associate Agreement HIPAA SEO
Alexander Bentley-Sutherland
Healthcare