Recent HHS guidelines limit moved the goalposts on PHI for regulated entities using tracking technology from Google, Facebook, and others.
Download the ebook to learn:
🏥 What is PHI now?
📈 How tracking technologies work (and why they violate HIPAA)
✍️ Why a BAA alone isn't enough to protect you
🗣 How to make Google and ad platforms HIPAA-compliant
For a tool like Google Analytics where it’s not safe to send health data AND personal identifiers, Freshpaint removes the identifiers that HIPAA considers as personally identifiable information and assigns a new identifier that can never reveal the identity of the individual.
Now Freshpaint can send anonymous user actions to Google Analytics without the identifiers. This is how you use Google Analytics in a HIPAA compliant way.
Allowlists are safer because the default is nothing is happening–no data is being sent to destinations. Allowlists aren’t just on the integration level, they are on the event, user, and group level. By reducing the overall flow of PHI across your tech stack you are dramatically reducing your security footprint.
Since Freshpaint signs a BAA all visitor and user behavioral data can be collected from your website and stored safely using Freshpaint instead of Google’s and Facebook's tracking technologies.
In order to ensure a safe connection between tools like Google Analytics, Google Ads, and Facebook - Freshpaint loads all the data server side.
To eliminate human error and ensure that PHI is never shared with non-compliant tools- especially things like appointment date, IP address, and zip code that live in the metadata - the default setting is that Freshpaint doesn’t share any data.
HIPAA compliance is hard. Freshpaint makes it easier by allowing us to decide where we want to send PHI. But the magic is for destinations where we don’t want to send PHI we can can still track user behavior without revealing who that user is.