Much like the GDPR, the CCPA, or any other data privacy regulation, healthcare organizations in the United States are subjected to protecting consumer health information under the Health Insurance Portability and Accountability Act (HIPAA).
Yet, after almost twenty years of the establishment of this data privacy regulation, the healthcare industry continues to seek solutions as technology continues to advance at a rapid pace, especially considering the proliferation of digital health data, trends in data use, and the increased use of telehealth applications due to the COVID-19 pandemic were not covered nor considered by the existing legal framework.
In that sense, while HIPPA’s goal is to properly protect individuals' health information whilst allowing the flow of health information needed to provide and promote high-quality healthcare, the impact of HIPAA on digital analytics is significant, as there are significant risks that healthcare organizations can face if they fail to comply with this privacy rule.
That is why, in this article, we are going to explore how this shift has to reflect this new reality, the constraints organizations within the healthcare sector face to leverage their digital analytics while staying HIPAA-compliant, and how this new landscape has impacted digital analytics in this field.
The Impact of HIPPA Non-Compliance
The challenges and risks faced by those healthcare organizations that fail to keep up with HIPAA compliance regulations are numerous, going from substantial fines –that will be issued even if the violation was inadvertent or unintentional– to civil action lawsuits, or even criminal charges.
Yet, if you’re a US healthcare organization, you must know there are compliant ways to both respect HIPAA regulations and protect your customers’ privacy while providing you with the necessary data insights to leverage your digital analytics. But first, let’s dive into what information is protected under the HIPAA privacy rule to know the extent this new landscape has impacted digital analytics in the healthcare sector.
What Information is Protected under the HIPAA Privacy Rule
The HIPAA Privacy Rule creates a framework that, while ensuring the protection of sensitive patient information and protecting the privacy of people who seek care and healing, also sets the stage for responsible and ethical digital analytics practices in the healthcare sector.
Personal Identifiable Information (PII) is any set of data that can be used to identify a specific individual. PII can be as simple as a username, or a date of birth, or as sensitive as a full name, an address, a social security number, or any type of financial data (billing address, credit card information, CVV, etc.).
Yet, HIPAA goes beyond these identifiers by adding an additional level of seriousness and data protection obligations. Here is precisely where Protected Health Information (PHI) identifiers come into play to protect all "individually identifiable health information", held or transmitted by a covered entity or its business associate, in any form or media, whether it is electronic, paper, or oral.
In this regard, Protected Health Information (PHI) also aims to protect:
- any individual's past, present, or future regarding any physical or mental health/condition
- any individual’s provision of health care
- any individual’s past, present, or future payment for the provision of health care
HIPPA Constraints for Leveraging Healthcare Analytics
Considering what information is protected under the HIPAA privacy rule, there is no doubt that staying HIPAA compliant comes with some obligations for healthcare organizations that want to leverage their digital analytics. Let’s uncover them:
Data Privacy and Protection
The HIPAA Privacy Rule mandates the safeguarding of patients' Protected Health Information (PHI). In digital analytics, this implies that healthcare organizations must ensure that the data being analyzed is stored, processed, and transmitted securely to prevent unauthorized access or breaches.
De-identification of Data
To comply with the HIPAA Privacy Rule, healthcare organizations often need to de-identify data before it can be used for analytics. De-identification removes personally identifiable information, which can limit the richness of the data but is necessary to protect patient privacy. De-identified health information should never identify nor provide a reasonable basis to identify an individual, and it is precisely through this process of de-identification, that the identifiers we’ve explored before are removed from the data set to mitigate any data privacy risk.
Consent and Authorization
Obtaining patient consent and authorization is a crucial aspect of HIPAA compliance. Before using or disclosing PHI for analytics purposes, healthcare entities usually need to obtain the individual's written authorization, unless the use or disclosure falls under an exception to the rule.
HIPAA encourages data minimization, which means using or disclosing only the minimum necessary information to accomplish the intended purpose. While this principle can affect the scope and depth of digital analytics in healthcare, it is key to safeguarding patients' Protected Health Information (PHI) from unauthorized access or breaches.
Auditing and Monitoring
The HIPAA Privacy Rule needs regular audits and monitoring of how PHI is being accessed, used, and disclosed. This can add an additional layer of complexity to digital analytics projects, as organizations need to ensure they are in continuous compliance.
To help you with that, you can use Trackingplan to automatically audit your healthcare analytics. Trackingplan provides you with an always-updated single source of truth with the real picture of your digital analytics to ensure all your data is accurately collected, responsibly managed, and integrated efficiently across teams and platforms.
Healthcare organizations often work with third-party vendors for digital analytics. The HIPAA Privacy Rule requires that these vendors, or business associates, comply with the same privacy and security standards, which can affect vendor selection, contract negotiations, and the overall management of vendor relationships.
Training and Education
Ensuring that all staff involved in digital analytics are adequately trained on HIPAA compliance is essential. This training can help reduce the risk of privacy breaches and ensure that analytics projects are conducted in a compliant manner.
Adhering to the HIPAA Privacy Rule can also help in building and maintaining public trust. When patients know that their information is being handled securely and with respect to their privacy, they are more likely to engage with healthcare providers.
Removing PHI for HIPAA Compliance
As of today, using either Google Analytics 360 or Adobe Analytics won’t save you from ensuring HIPPA compliance unless you make radical adjustments in its implementation to avoid sending in Protected Health Information (PHI).
Indeed, Google clearly states in its documentation that it “makes no representations that Google Analytics satisfies HIPAA compliance requirements” but, at the same time, that “you may not use Google Analytics for any purpose or in any manner involving Protected Health Information.”
What’s more, as data grows more complex, and considering that organizations nowadays rely on several external services to do analytics, product development, marketing automation, or sales (Google Analytics, Amplitude, Hubspot, Adjust, Intercom, Salesforce, Pipedrive, Braze, etc.), checking that you are not sending any PHI-sensitive data to all these third-party integrations can be overwhelming.
To help you with that, Trackingplan automatically connects and documents everything that flows between your sites and apps to third-party integrations (e.g.: Google Analytics, Segment, Mixpanel, etc.). This provides a roadmap with powerful cross-service insights to effectively ensure only HIPAA-compliant data is accurately collected, responsibly managed, and integrated efficiently across teams and platforms.
But that’s not all. Apart from automatically discovering your data integrations to easily see what data you are actually collecting and the schemas beneath this process, Trackingplan’s Privacy Report goes beyond by allowing you to control the flow of data in a compliant way.
Trackingplan’s Privacy Report
Trackingplan’s Privacy Report allows you to see at a glance which private data your site is collecting from your users and forwarding to third parties.
Personal data – like user emails, IP addresses, SSNs, credit cards, and so on – will be automatically spotted and labeled here in order to detect any possible privacy issue or security-sensitive data that should not have been collected or forwarded to your analytics services.
In this example from one of our demos, you can see that customers’ billing card details have been collected by Google Analytics in a total of 11 events. To know in which specific events this sensitive information has been collected to spot any possible privacy breach, you can click on the event counter directly.
Trackingplan is a fully automated monitoring tool that finds problems in your analytics, marketing, attribution pixels, and campaigns and tells you how to fix them. This way, you can ensure the quality of your data and rely on it to guide your business.