Overview
In the highly regulated world of healthcare, organizations must adhere to Office for Civil Rights (OCR) guidelines outlined in the HIPAA Privacy and Security Rules, making secure, controlled data management not optional, but mission-critical. However, browser environments are not inherently HIPAA-compliant. As a result, it falls to your internal teams to define how data should be collected, processed, and shared to ensure compliance. That includes ensuring no PII or PHI is passed to downstream platforms that are not HIPAA compliant because they will not sign a Business Associate Agreement (BAA).
Tealium frequently supports healthcare organizations navigating this exact challenge. Many discover that data is being collected in a non-HIPAA-compliant manner, such as sending raw search terms, which may qualify as PHI, to analytics tools that won’t sign a BAA. For example, if a user visits your site and searches for “cancer centers,” the search term itself could be considered PHI. While most analytics platforms want to log both the search event and the search term, they can’t legally store that type of data without a BAA.
That’s where Tealium steps in. Tealium can identify search events and inspect explicitly declared data layer variables, like search_term, to generate a hashed version of the data. This hashed value can be passed downstream to non-HIPAA-compliant analytics tools so that trend analysis can still occur. From a compliance perspective, this is a win: the analytics vendor only receives the hash. From a marketer’s perspective, however, the hash itself isn’t human-readable or actionable.
To solve for this need, Tealium can also send the full data layer payload – including both the original and hashed values – to your 1st-party data warehouse. Because your organization owns and secures this environment, storing PHI here aligns with HIPAA compliance. From there, you can build a lookup table that maps hashed values to their original terms. This lookup can be referenced alongside reports from your non-HIPAA-compliant analytics platform, enabling your team to interpret trends without exposing raw PHI to vendors.
Tealium Products required to support this use case:
- For Data Processing
- For Data Storage, either
- EventStream to stream to your data lake/warehouse, or
- EventStore to temporarily store the data on your behalf
Steps to Deploy
- Data Processing
- Define your Data Layer attribute that contains the search term, e.g. search_term
- Create a new Data Layer attribute that will hold your new hashed search term, e.g. search_term_hashed
- Create a ‘Set Data Values’ Extension that sets the value of search_term_hashed to match search_term prior to hashing.
- Create a new Crypto Extension that applies the SHA256 hashing algorithm to search_term_hashed
- Map the search_term_hashed variable to your analytics vendor, e.g. to s.prop42
- Data Storage
- Within EventStream, create a new Event Feed with conditional logic that search_term_hashed is assigned
- Stream to your data lake/warehouse
- Configure a new Big Data Connector to pass the data to your data lake/warehouse
- Temporarily store within Tealium
- Within the Event Feed window, slide the “Event Data Storage” slider to “EventStore”
Example 3rd-Party Analytics Report (Using Hashed Search Terms)
search_term_hashed | search_count |
52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | 6 |
20922be582691ee25328eedd42d2d3678a125c260d32064d909a0c353de88df9 | 3 |
c851687980a4219de7f1473d79b58f3a0d7132ccfcf47abdac45e22addf3f8f2 | 1 |
Sample Company Table of Stored Search Terms
search_term | search_term_hashed | event_id | event_timestamp |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | 976829a7-aede-4691-9298-10ce3b0e4508 | 5/7/25 10:19 |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | 55ff1a57-d5a3-4049-82ae-7cdc70f2057e | 5/7/25 14:51 |
cancer centers | c851687980a4219de7f1473d79b58f3a0d7132ccfcf47abdac45e22addf3f8f2 | fb0de3e7-818f-4909-b9a6-af2636b2281d | 5/7/25 10:10 |
cancer screening | 20922be582691ee25328eedd42d2d3678a125c260d32064d909a0c353de88df9 | 4f042c93-5771-458d-b909-e14180e17b2b | 5/7/25 13:59 |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | eed1a971-1f3d-4ad8-90c4-f7e943cbd38d | 5/7/25 15:22 |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | 3cfbb1fe-6575-456c-95d2-a27f1d84d505 | 5/7/25 15:41 |
cancer screening | 20922be582691ee25328eedd42d2d3678a125c260d32064d909a0c353de88df9 | bdf88281-a62d-4926-800d-a383cde3e1e0 | 5/7/25 13:20 |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | b0513d36-de27-47cd-91bf-0a934ff24e65 | 5/7/25 6:40 |
cancer centers | c851687980a4219de7f1473d79b58f3a0d7132ccfcf47abdac45e22addf3f8f2 | 33edfc6a-9227-4760-a12d-fc45409a961a | 5/7/25 16:37 |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f | b065398e-23ff-466e-984c-883eb4064652 | 5/7/25 12:37 |
Query to pull distinct search_term values and their associated hashed values
SELECT DISTINCT search_term, search_term_hashed FROM search_events;
search_term | search_term_hashed |
mental health | 52cfaeabb3806a9223f5c74365e58943bfd348d9ca74815fc05d15e3fbfb346f |
cancer centers | c851687980a4219de7f1473d79b58f3a0d7132ccfcf47abdac45e22addf3f8f2 |
cancer screening | 20922be582691ee25328eedd42d2d3678a125c260d32064d909a0c353de88df9 |
You now have both the unique data parameters in your own data set and the aggregated trends in your analytics tool. This makes it easy to cross-reference and understand user behavior.
By decoupling sensitive data from your analytics workflows, you can maintain marketing agility without compromising on compliance. Tealium provides the tools and expertise to ensure both objectives are met securely, effectively, and in alignment with HIPAA requirements.
Want help implementing this securely in your environment? Reach out to your Tealium representative or visit Tealium for Healthcare.