Disclaimer 

The information provided here is not intended to be and does not constitute legal advice. This is merely our point of view on the recent court ruling. Customers should seek their own legal advice in connection with the topics discussed in this brief.

Background & Key Dates

In December 2022, the Office for Civil Rights (the “OCR”) at the US Department of Health and Human Services (“HHS”)  issued a bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (the “Bulletin”) stating that data collected about how users interact with a covered entity’s websites or mobile applications using tracking technologies is PHI. 

In late 2023, the American Hospital Association (“AHA”) filed a lawsuit challenging the broad interpretation of this definition of PHI laid out in the Bulletin. 

On March 18, 2024, the OCR revised its guidance without fundamentally changing its above-stated interpretation of PHI. 

On June 20th, 2024, the US District Court for the Northern District of Texas found that HHS exceeded its authority in certain parts of the Bulletin with regard to unauthenticated visitors to a covered entity’s digital property (website, mobile application, etc.).

The Patient Data Challenge

HIPAA regulations explicitly prevent HIPAA-covered entities, such as healthcare providers, health insurance providers, and pharmacies, from sharing PHI with third-party vendors who don’t enter into a Business Associate Agreement (BAA). Therefore, healthcare organizations have had to reevaluate their patient data collection and distribution practices in order to achieve compliance.

This is especially true of digital marketing. Healthcare organizations have been forced to change their entire approach to digital marketing, given their historical reliance on the third-party web tags of advertising and analytics vendors whose service offerings require PII/PHI for their core functionality, but will not sign a BAA to protect PHI.

Without the ability to deploy media and conversion tags (i.e. Facebook Pixel, GA4, Google Floodlight, etc.), the flow of data that marketing and analytics programs require has been severed. Healthcare organizations find themselves searching for a best-fit solution that resolves the needs of compliance, marketing, and analytics teams without further disruption to existing business processes and programs.

Approaches & Responses to HIPAA Compliance

While certain healthcare organizations have chosen not to act and continue to utilize their existing approach and infrastructure to collect and distribute patient data, other organizations have taken the following approaches to avoid penalties and other repercussions associated with non-compliance:

• No Data Collection: Many organizations have simply stopped data collection altogether, and have removed all web tags and/or deprecated their existing tag management system. 
• Tactical Approach: Some have implemented tactical solutions, which attempt to make their existing data collection practices compliant without refurbishing their existing, non-BAA-covered technologies (i.e. Google Tag Manager, GA4, Google Ads, etc.). 
• Strategic Approach: The most forward-looking organizations, however, have recognized the need for a privacy-safe 1st party data strategy; one that allows them to collect and unify patient data in a HIPAA-compliant server-side environment, enabling the management and governance of data at the event, patient, and audience level. Data can then be orchestrated out of this environment across all marketing and analytics technologies on a “need-to-know-basis”, eliminating the risk of non-compliance.

Implications of No Data Collection & The Tactical Approach

As healthcare organizations become compliant by securing PHI, the value of certain 3rd party offerings is lost, which is as the OCR intended, so as to preserve patient privacy:

• Total deprecation of web and mobile data collection results in the complete loss of targeted digital marketing and associated analytics. Healthcare organizations will be limited to traditional endemic and brand media buying strategies.
• Without PHI, managed paid media services, such as Google Ads and Facebook Audiences, are unable to optimize segmentation and bidding as accurately as they once did; the scale, accuracy, and ROI of audience targeting is negatively affected.
• Reporting agents that operate adjacent to managed paid media services, such as GA4, are similarly rendered inaccurate, as they are unable to attribute and reconcile a patient’s journey to conversion on a unique 1:1 level, and, therefore, are unable to accurately calculate media and campaign performance.

While tactical approaches can be implemented quickly, they inherently do not resolve the implications and impact of the OCR’s guidance:

• They continue to utilize existing data collection infrastructure and practices, and, therefore, are unable to support the shift in data strategy that is required to restore the efficacy of marketing and analytics.
• They do not permit migration away from third-party marketing and analytics technologies whose offerings have been rendered ineffectual without the collection of PHI.
• They do not enable a data architecture that easily supports the adoption of new technologies, nor complies with future regulatory changes. 

Benefits of the Strategic Approach

• The HIPAA-compliant server-side container acts as the single, privacy-safe point of collection to unify and govern web data. This approach ensures that no PHI is exposed in the patient’s browser or mobile app at the point of collection, and provides the technical safeguards necessary to govern compliant distribution of patient data across the tech stack using APIs. The HIPAA-compliant server-side environment thus becomes the center for compliant data orchestration across all 3rd party technologies.
• The server-side container also enables the unification of offline data, unlocking a single-compliant view of the patient and new patient experiences. A single, normalized view of the patient data set allows for the management and governance of data organized at the event, patient, and audience level. Profiles, resolved for the patient’s identity, are both portable and agnostic to any one marketing platform. Profiles can be segmented into audiences and activated on any channel, at any time, in order to deliver a personalized experience, from call centers to web content. This means that audience creation and optimization are now managed in the same environment used for HIPAA-compliant data capture and governance, resolving the challenges of segmentation faced by non-BAA-covered media platforms that can no longer receive PII/PHI. Furthermore, patient privacy preferences, collected and stored in the profile, can be applied to the governance and activation of audiences, ensuring consent is respected. 
• A single-compliant view of the patient enhances analytics programs. The patient profile also serves as the repository of marketing performance and engagement data, reconciled at the unique patient level. This means that the healthcare organization can freely measure and benchmark the performance of marketing campaigns and programs across audiences, channels, and platforms without being beholden to opaque attribution models maintained by each individual media platform. Since the patient profile is portable, the data required for such analysis can be distributed to any HIPAA-compliant business intelligence or analytics application as needed. 

Conclusion

Restrictions on the collection and distribution of PHI imposed by the OCR guidance require that healthcare organizations implement a solution that solves for the needs of compliance, marketing, and analytics teams while also restoring the key capabilities and functionalities otherwise lost in third-party technologies. As such, healthcare organizations must look to a platform and infrastructure that:

• Enables compliance to be maintained throughout the entirety of the data supply chain, from data collection at the source all the way to distribution across endpoints of activation.
• Offers capabilities to secure and manage data at both the event and user level, segment audiences, distribute event and user data across third-party technologies without compromising compliance (vis-a-vis web tags, APIs, and exports), and easily access event and user data for the purposes of analysis, reporting, and measurement.