HHS Approves Tools Like Freshpaint In Latest Guidance Update
A quick note before you read: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. As an example, the combination of ad click IDs and conversion events shared with advertising platforms like Google Ads and Facebook are still considered protected health information by HHS. Since HHS is currently evaluating its next steps and privacy remains an evolving challenge, healthcare marketers should continue to consult their legal and compliance counterparts for recommendations on how to respond. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.
The last time HHS updated its guidance surrounding the use of online tracking technologies, it sent shockwaves through the healthcare marketing industry. You probably remember it vividly. It was December 2022, and healthcare marketers across the US had to shut off online tracking tools like Google Analytics.
They were flying blind overnight because the guidance was clear: regulated entities could no longer use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors.
But despite that clarity, HHS did not provide a path forward. Healthcare marketers were left scrambling.
Eventually, marketers figured out a few paths forward from that guidance. Some stayed in the dark, letting customer acquisition costs and cost-per-lead metrics skyrocket without any visibility. Others turned to healthcare-specific Customer Data Platforms, like Freshpaint, to restore their marketing stacks in a HIPAA-compliant manner. Another group spent tons of time and money building their own solutions from the ground up.
We finally have some good news: On March 18th, 2024, HHS updated its guidance to call out Customer Data Platforms like Freshpaint as viable alternatives to web tracking technologies that don’t support Business Associate Agreements (BAAs).
That updated guidance answers several crucial questions raised by the earlier advice.
What’s in the updated guidance?
This most recent guidance contains five significant updates. Each update closely tracks a commonly asked question that we’ve heard hundreds of times from healthcare organizations we’ve talked to since the original guidance was released.
Clarification 1: Unauthenticated pages can risk HIPAA compliance
When HHS released its original guidance, it seemingly targeted unauthenticated webpages, but the message remained unclear.
Now it is clear. In its updated guidance, HHS states, “Tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors.”
HHS then gives some examples.
If a student visits a healthcare website for research purposes, tracking their behavior isn’t PHI. But, if “an individual were looking at a hospital’s webpage listing its oncology services…the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI.”
The problem for healthcare marketers is that there’s no simple way to distinguish between the student and the individual researching oncology.
The best approach is to play it safe and assume anyone visiting healthcare-specific pages is looking for health services. This means you shouldn’t use any online tracking technologies on those pages without a BAA.
Clarification 2: Consent managers do not replace written HIPAA authorization
The previous guidance made it clear that healthcare marketers couldn't use website trackers without getting direct permission from the people visiting their websites. Because of this, the idea of using consent managers – tools already in use for getting permissions under GDPR (General Data Protection Regulation) – seemed like a natural next step for HIPAA compliance.
Healthcare organizations thought that since consent managers ask website visitors for their permission to be tracked, this method would also be acceptable for obtaining HIPAA authorization.
But, HHS has clarified that consent managers do not work for HIPAA authorization. Here’s the quote from the updated guidance: “Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.”
Clarification 3: IP addresses are not PHI by themselves on unauthenticated web pages
Ever since that original guidance, IP addresses have been a hot topic. Some healthcare organizations view them as PHI, without any additional health information.
HHS’s updated guidance has made it clear: IP addresses are not PHI alone. Here’s the passage: “For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s PHI to tracking technology vendor.”
The takeaway is that using a web tracker that collects IP addresses on an unauthenticated web page without any health information is not a HIPAA violation.
The challenge is it’s difficult to be precise about which pages your tracking technologies appear on and which pages they don’t appear on. As Baptist Health’s Lauren Anderson says, “People don't realize that it's not just a button that you can turn on and off to get these trackers off of your site.”
So, if you’re using a tracking technology, make sure you have a BAA in place.
Clarification 4: Removing PHI from the data a non-compliant tracker receives is not enough
Another point of confusion over the last year is whether or not tracking technologies that capture, but don’t store PHI, would put healthcare organizations at risk. Google Analytics is a prime example of this. Google claims that it collects, but doesn’t store, IP addresses. HHS spells this out below.
“Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”
Clarification 5: HHS approves using CDPs like Freshpaint
Here’s the biggest change: HHS provides a clear path forward for healthcare marketers who can’t get a BAA with a specific marketing technology but want to continue using it.
HHS states that a Customer Data Platform (CDP) is the tool to use if you cannot get a BAA with the tracking technology vendor that will appropriately safeguard PHI.
They recommend CDPs because most will sign a BAA and have some built-in de-identification features.
But those two components alone don’t fully solve the HIPAA conundrum for healthcare marketers. Building a high-performing, HIPAA-compliant marketing stack involves more than just a BAA and de-identification.
Why A CDP can replace native web trackers
Let’s dive a little deeper into why HHS called out CDPs as a replacement for native web trackers.
- CDPs like Freshpaint replace native web trackers with a BAA-supported platform. Freshpaint, and similar CDPs, replace risky web trackers to offer healthcare marketers a way to gather the same website data they normally would but with a system that's supported by a BAA. This setup provides extra protection for PHI, making it safer to collect data.
- Healthcare-specific CDPs offer server-side connections with analytics and advertising destinations. Traditional web tracking technologies that the HHS called out operate from the “client-side,” meaning they collect data directly from the user’s web browser. Freshpaint’s healthcare-specific integrations are built server-side – meaning Freshpaint’s BAA-supported platform collects data and only sends it to an end destination from Freshpaint’s servers. This gives users an extra layer of control.
- Engineers can customize the platform to support limiting data sharing to specific destinations. Engineers can customize CDPs to act as a governance layer between a website visitor and the tools where a marketer would ultimately want to share data to. The downside with most generic CDPs is that this is all custom work and requires a heavy engineering lift to stand up.
Generic CDPs are built for tech-forward companies with robust engineering teams that can customize the way these tools work. Healthcare marketers need a CDP they can implement without engineering resources—one that was built, well, for healthcare.
Freshpaint is built for healthcare, and generic CDPs are not
Freshpaint is not just a CDP. It’s a Healthcare Privacy Platform. We built CDP-like functionality into the platform because it’s useful for healthcare organizations, but we also built healthcare-specific functionality alongside it.
Healthcare marketers are often the end users of CDPs, but most CDPs are complex platforms that require software engineers to stand up and maintain. Technical support is often needed to map out integrations with end destinations and instrument the right tracking events on healthcare websites.
In WebMD Ignite’s opinion, standing up a traditional CDP in a healthcare organization is extremely difficult, “Executing a full CDP inside of a health system is incredibly complex. It's going to take lots of IT, engineering and marketing involvement to execute.”
That’s not the case with Freshpaint’s Healthcare Privacy Platform. We built it specifically for healthcare marketers so they can easily stand up and maintain all aspects of the platform.
We do this in three ways:
1) Freshpaint is Safe by Default
Generic CDPs are “always on” – meaning they share all data with end destinations by default. Engineers are required to turn off the sharing of specific data points to prevent PHI from ending in an end destination.
Freshpaint shares nothing until healthcare teams choose to share a specific piece of data. We do this through a visual interface that makes it easy to understand what data we collect for you and what you can send to an end destination. This visual interface is something marketers can configure without engineering support.
When talking about Freshpaint’s Safe by Default approach, Columbus Regional Health’s Andrew Laker had this to say, "The HIPAA Allowlist in Freshpaint is one of my favorite things. It allows me to control what data is flowing to the tools that I need to do my job, and others on my team need to do their jobs."
Freshpaint also has an extra layer of transparency built into our platform – Event Verification. This helps you ensure that each event being passed to an end destination does not contain PHI. Generic CDPs do not have this functionality.
2) Freshpaint provides full functionality of marketing tools
Generic CDPs often build limited integrations with tools like Google Analytics. Limited integrations result in incomplete data sets – meaning end users don’t have as much data as they ordinarily would.
Generic CDPs often build these limited integrations through simple APIs like Google’s Measurement Protocol because it is a simple way to build server-side integrations. But Google’s own documentation states that the Measurement Protocol is limited, saying, “only partial reporting may be available” when using it.
Freshpaint’s integration with Google Analytics is custom-built using a proxy integration. This allows Freshpaint users to have a complete data set in their marketing tools – providing them with all the clarity they need to continue marketing at a high level.
3) Freshpaint has a full suite of healthcare-specific features
As vybe urgent care’s Andrew Lacomba says, “Freshpaint knows healthcare.”
And because of that knowledge, we built tools specifically to help healthcare marketers stay in compliance with HIPAA, while still being able to execute high-performance marketing.
Here are just a few examples:
- Web Tracker Manager – Freshpaint's Web Tracker Manager gives marketers visibility into third-party web trackers that may be running on their websites without their knowledge. With this information at their fingertips, companies can swiftly identify and address any potential privacy risks, ensuring consumer data remains protected at all times.
- Embedded Video Support – Freshpaint helps you create a richer experience for your visitors by supporting embedding Vimeo-hosted videos on your site without ever sharing HIPAA identifiers.
- Embedded Maps Support – Freshpaint offers a HIPAA-compliant, zoomable, pannable embedded map hosted in our BAA-supported platform.
- Industry-leading integrations – Freshpaint’s Healthcare Privacy Platform has integrations with the most-used ads, analytics, and embedded video tools. With industry-leading integrations, healthcare marketers can choose which data is shared with platforms like Facebook and Google. Each integration is purpose-built to support each specific use case out of the box.
This combination makes Freshpaint the best tool for healthcare organizations who are looking to activate their marketing data while complying with HIPAA.
Ready to follow HHS’s guidance and implement a CDP like Freshpaint? See a demo of Freshpaint’s Healthcare Privacy Platform and get a free web tracker report to see all the risky web trackers on your website.