In 2023 and 2024, several healthcare organizations faced a marketing data disaster. This was due to HSS guidance on HIPAA compliance from late 2022. At the start of 2025, visibility is still murky about how public pages of healthcare websites should be considered.
In December 2022, the US Department of Health and Human Services (HHS) updated its guidance around tracking technologies on healthcare websites regarding potential violations to federal privacy rules related to HIPAA.
This led to the American Hospital Association (AHA) to file a federal lawsuit. It was about the guidance’s interpretation of tracking IP addresses and visiting public web pages as being “PHI” (Private Health Information). It disagreed with the fact that if someone visits a page with health information, it could signal “intent” that the visit was related to that person’s health.
In June 2024, a US District Judge agreed that this was overstepping. Based on this ruling, the HSS updated their guidance page with a preamble about this exception. The Office for Civil Rights decided not to appeal in August 2024.
Before we try to interpret what all this means, let’s recap how HIPAA applies to websites.
Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect sensitive patient data and health information. HIPAA imposes strict rules (and non-compliance penalties) regarding the management and sharing of personal health information (PHI). This includes any identifiable information about an individual's health status, provision of healthcare, or payment for healthcare.
HIPAA applies to healthcare organizations and their vendors that handle PHI. These vendors must sign a "BAA" (Business Associate Agreement) to protect PHI per the HIPAA Rules.
A healthcare website is usually composed of several different applications that are juxtaposed and designed to look like one seamless experience. For the purposes of this article, I will focus on the “public” website - the portion of the website visitors can explore without needing to log in. This excludes EHR applications, patient portals, appointment management software, payment gateways, or telehealth platforms.
When building the public portion of healthcare website, various factors must be considered to ensure HIPAA compliance in addition to the page’s content:
It’s obvious that private, logged-in pages contain Private Health Information. What stresses healthcare organizations is the shifting definition of PHI on public webpages. Recent guidelines and legal rulings provide differing views on what data is PHI.
One of the main grey zones regarding PHI revolves around tracking visitor behavior on public website pages.
The vast majority of websites use Google Analytics to track visitor interactions on their website.
The HSS identified that IP addresses of people visiting health-related content could be at risk of non-compliance with HIPAA (ex: visiting a cancer-related page could imply that you are seeking treatment for cancer). That being said, this relies heavily on the interpretation of why the visitor viewed the page which is precisely what the AHA lawsuit considered as overreaching.
If “health-related content + IP address tracking = PHI”, this would require Google to sign a BAA with healthcare organizations. However, Google did not and does not intend to sign a BAA to comply with HIPAA (the case is similar for the Facebook Pixel). The Google Analytics help page about the subject says:
“Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages.”
Afraid of non-compliance and potential lawsuits, this led several healthcare organizations to completely remove Google Analytics from their websites.
Any digital marketer can justifiably understand how dramatic this type of action can be because Google Analytics is often foundational to data-driven digital marketing decision-making. No more data coming from interactions with your website is akin to going blind.
The HSS mentions in its guidance the following workaround:
“If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform (CDP) vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.”
Two CDP companies who have positioned themselves astutely in this “loophole” for healthcare are Freshpaint and Tealium. They track the visits on your website within their HIPAA-compliant databases, “sanitize” the data (remove any personally-identifiable data like IP addresses) and then send the cleaned data to your analytics tools. In a nutshell, they make your current analytics tools HIPAA-compliant so you can continue getting the insights you need to improve your patient experience.
Both organizations provide a lot of insight on how this works on their websites and I read through their blogs and resource centers while preparing this article.
Since the HHS decided not to appeal the ruling regarding the AHA’s lawsuit, the AHA declared:
“Now that the Bulletin’s illegal rule has been vacated once and for all, hospitals can safely share reliable, accurate health care information with the communities they serve without the fear of federal civil and criminal penalties.”
This seems to allow healthcare organizations to use analytics tools on their public web pages for the time being. However, many prefer to be cautious and are wary of reimplementing Google Analytics. Luckily, tools like Freshpaint and Tealium can provide the abstraction layer that allows healthcare marketers to gain insight from their website visits without potentially violating HIPAA.
For more insights on HIPAA compliance and how to implement it effectively, contact the Symetris team for expert guidance and support (as well as your legal counsel).
