Marketing in a HIPAA World: Commonly Asked Questions and Answers

Marketers have, historically, never had to pay too much attention to HIPAA compliance. But with the latest HIPAA guidance and the joint FTC-HHS warning, HIPAA compliance has become a very real concern for marketers. With that concern comes a lot of questions.

That's why we've pulled together the most commonly asked questions that we've heard. Then, we asked our legal and technology partners to help us provide answers.

Read on to get all the answers.‍

Google Analytics and Data Handling

Google claims that GA4 does not store IP addresses but nothing in the HHS guidance talks about storage. The issue they call out is about sharing PHI in the first place. 

If you’re using GA4 with the native tracking technology, you’re still sharing IP addresses with Google. 

We also know that Google uses IP addresses to determine granular location information about visitors to your healthcare website. HHS also refers to narrow zip codes as personal identifiers, so even if they don’t store the IP address, they are likely storing other identifiers.

A quick note on IP addresses: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

This is where a privacy platform like Freshpaint comes in. We sign a BAA with our healthcare partners so we can safely collect things like location information and device type. We can then safely send those things to Google Analytics without sending anything considered a HIPAA identifier.

For example, we can send state-level data to Google Analytics, but nothing more narrow than that because that could be a privacy issue. Freshpaint could also send device type but not a device identifier.

Google uses IP addresses to understand the location of your website visitors. The IP address alone is considered an identifier by HIPAA. If your healthcare website also contains condition-specific pages, find a doctor pages, or pages where people can schedule appointments for services, those pages combined with IP addresses are enough to violate HIPAA.

A quick note on IP addresses: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

Read more about PHI here: What Is PHI? Ending The Confusion

Freshpaint creates a unique anonymous ID that gets shared with Google Analytics to stitch together unique sessions from an individual visitor into a complete customer journey. That ID cannot be reversed to obtain the actual identity of the user. Anonymous ID only shares page views, button clicks, conversions, and anonymous behavior that you currently report on in Google Analytics today.

Yes. Client ID should not be used in Google Analytics. It is no longer safe because Google could identify the actual visitor to your healthcare website with Client ID. Instead, Freshpaint’s anonymous ID allows Google Analytics to link the individual sessions of the visitor without ever revealing their identity. 

Yes, that's the value of the anonymous ID. It allows Google Analytics to stitch together those individual sessions from the same visitor into one complete journey without revealing their identity.

No.

GA4 is still collecting personally identifiable information. It doesn’t matter if they’re not storing it or anonymizing it; they’re still collecting it. That’s the problem. 

No, it isn’t enough. Google is still collecting the IP address. That’s the problem. What it does after the point of collection doesn’t matter.  Additionally, we know that Google is using IP addresses to derive additional information like the visitor's location, which could result in an additional HIPAA identifier. 

A quick note on IP addresses: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

Advertising and Tracking

We don’t think that data will be the blocker in continuing to use digital channels effectively. In a recent webinar, the legal experts at Faegre Drinker pointed out that HHS left an opening for healthcare marketers to balance promotion with privacy, and innovators like Freshpaint have already stepped in to help. 

These changes (and those to come) mean marketers must form strong partnerships with their legal and compliance colleagues and find full-service technology solutions that help them manage data flow across their entire marketing stack.

About those channels becoming more expensive - that’s a more complex question. Yes, the per-click or per-lead cost continues to increase as more money is spent on a finite number of consumers in digital advertising. But those are still the primary channels for us to reach healthcare consumers. 

It’s less a question of rising prices by itself and more a question of unit economics. As long as your customer acquisition cost (CAC) to Lifetime Value (LTV) ratio gets a thumbs up from the CFO, we see digital advertising as a powerful lever. 

And there are ways that you can influence your cost per lead and CAC. Focusing on understanding your consumers and using that to influence ad copy and creative as well as post-click experience can have outsized impacts on things like conversion rates. We have a long way to go before we walk away from digital advertising.

Google and Facebook earn more than $250B a year in digital advertising thanks to highly targeted ad platforms that rely heavily on consumer data to remain effective. We don't see any of these advertisers rushing to signal to the market that they would be willing to restrict the collection of that data in the future because it could put their advertising models and revenue at risk.

And even though healthcare spends heavily on digital advertising, it's still only 2.5% of all digital advertising spend. So even if healthcare spends less on digital advertising, Google and Facebook will still have massive revenue outcomes from the rest of the market.

By default, YouTube collects location and personal information about the users that watch videos posted on its platform – that goes for both organic videos and the ads that play before, during, and after videos. 

But the platform itself is not the issue. If users watch videos on YouTube containing health information, there’s no violation because YouTube is not a covered entity.

The potential HIPAA violation arises when you embed a YouTube video containing health information onto your website. Those embedded videos share IP information from your website visitors back to YouTube.

The tracking technology that powers conversion tracking in Google Ads is the problem. When you load that tracker on your website today, it can collect health information and identifiers. Both combined equals PHI. 

Running ads on Google Ads is okay, but you’ll need to remove the native tracker and use a tracker that makes it easy to govern the data shared with Google Ads. That’s where Freshpaint can help.

Read more here: Why Shutting Down Advertising Tracking Technologies is Impacting Your Marketing Team

Not necessarily. The Click ID is an identifier that originates from the ad platform, and as you know, ad platforms are not regulated by HIPAA.

The HIPAA violation arises when that ad click results in a visit to your website where the native tracking technology is running. That tracking technology now can collect a lot of health information and additional identifiers about that visitor and share them back with the ad platform. 

The ad click ID is an identifier. It has enough information to A) handle attribution and B) identify the user who clicked on the ad. 

In the case of ad platforms, we know that if we want to run any smart bidding options, like Maximize Conversions or Target CPA, we’ll need to pass an identifier to the ad platform. When using Freshpaint, legal and compliance teams agree it’s safe to send the click ID for two reasons:

1. That click ID originated in the ad platform, which HIPAA does not regulate, so nothing new is being introduced
2. No health information, and therefore no PHI, is shared back to the ad platform from the healthcare provider. 

Programmatic ad tools often operate in a similar manner to direct response ad platforms like Google Ads and Facebook – they serve an ad and tracking technology helps the platform understand performance. 

As we’ve said before, HIPAA violations on ad tech require two pieces of information to be shared to be considered PHI: a personal identifier and health information. You should assume that the click ID from that ad platform is the identifier, so you'll be at risk if you’re running those trackers on any pages containing health information.

No, Google Call ads aren't at risk of violating HIPAA because all of the action takes place on Google. There's no information shared from your website to Google. 

That’s true. The text of the ad does not directly cause a violation. Running the ad on a platform that is not covered by HIPAA is okay to do with direct response advertising like Google Search Ads and Facebook Newsfeed Ads. 

If you’re a covered entity, the issue is about what information you share back to those ad platforms after they click on the ad and visit your healthcare website. It’s almost certain that those ad platform tracking technologies are collecting a lot of information that would be considered PHI.

You could, technically, go in this direction, but the benefit of using pixels and tracking technology is improved ROI. Tracking technology helps ad platforms determine how to optimize your ad spend to increase your ROI.

Content Management and Website Tools

It's a good question, and there isn't a blanket answer. For WordPress and your hosting provider, you may need a BAA if you are collecting/storing data from form fills, patient bookings, etc., that contains both personally identifiable data and health information together. 

If you're self-hosting on your server, the answer might be different. It would be a good question to bring up with your compliance team to review your setup.

Google Tag Manager itself is not a problem from a HIPAA-compliance standpoint. Tag Manager makes it easy to create events and send information to tools like Google Analytics, Google Ads, and Facebook Ads.

The problem is when you use Google Tag Manager to send data directly to tools where you don’t have a BAA. This is where a privacy platform like Freshpaint comes in. You can configure Google Tag Manager to send data to Freshpaint. Freshpaint applies data governance rules before sending data to tools where a BAA doesn’t exist. 

Yes, but remember not to use health information in your UTM codes. For example, this UTM code could violate HIPAA because the campaign name and search term contain health information: 

https://www.freshhealth.co/?utm_source=google+ads&utm_medium=search&utm_campaign=type+2+diabetes&utm_id=15212&utm_term=diabetes+test

The problematic strings in that URL are:

1. utm_campaign=type+2+diabetes
2. utm_term=diabetes+test

Those are problematic because they contain specific health information. To fix that, you would want to avoid using health information in your UTM codes. 

Check with your legal team on this, but we don’t see simply hosting Youtube videos on the Youtube platform as an issue with HIPAA. That’s because HIPAA does not regulate the YouTube platform. Just be careful of embedding those YouTube-hosted videos on your healthcare website.

HIPAA Compliance and Regulations

Once you remove unsafe trackers, you are safe from that point forward. 

However, if those trackers have been running on your healthcare website for some time, it’s likely that PHI has been shared with the ad platforms. That’s a good conversation to have with your legal team. 

In short, no. Getting consent to collect data through a consent manager doesn’t work for HIPAA. It’s required under other data privacy laws, but HIPAA is more strict and would require you to get explicit permission to share PHI with advertising and analytics tools.

Using one to comply with GDPR, CCPA, and other data privacy laws may be a good idea, but it won’t protect you against HIPAA violations.

Yes. The anonymous ID hides the identity of the visitor but still allows source information to pass through. You'll get all the reporting you're used to today in Google Analytics and your downstream tools without the risk of sharing PHI.

Good question. We also just recorded a webinar with the legal experts from Faegre Drinker on this topic. Watch it here: Legal Perspective: Balancing Digital Promotion and Privacy for Healthcare

Or read our blog post on the joint FTC-HHS warning: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org

And you will definitely want to read up on our Privacy-First Framework to help you find non-compliant trackers on your website: A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites