Google Analytics and Meta Pixel: How to stay HIPAA compliant and safely collect patient data

Practis Blog
HIPAA graphic and person on laptop

Recently, the U. S. Department of Health and Human Services issued a statement concerning website tracking services like Google Analytics and Meta Pixels and how they relate to HIPAA. While some of this information can be a little confusing, we’re here to help you understand what it means for your website tracking, and what we’re doing at Practis as it relates to protecting clients and the privacy of patients.

What Are the HIPAA Privacy Regulations That Pertain to Tracking Services For Medical Websites?

Known as individually identifiable health information (IIHI) under HIPAA, information must be handled with caution to prevent a potential privacy breach and HIPAA violation. HIPAA stipulates that regulated entities must not use tracking technologies in a way that could result in impermissible disclosures of protected health information (PHI) to tracking technology vendors or violate HIPAA Rules. This regulation has been in place since 1996, and the recent HIPAA notice addresses a specific violation by a particular entity.

The rule states “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

Running an effective Medical SEO or Social Media Campaign involves obtaining valuable insights on website performance through tracking technologies. Technologies such as Google Analytics, Meta Pixel, on-site cookies, and other tracking or retargeting methods, if not implemented carefully, can run the risk of violating current HIPAA policies. Therefore, we do not recommend healthcare providers utilize these technologies in a manner that would be in violation of HIPAA rules. While Google Analytics and Meta Pixel are platforms used to track visitor data, they may be utilized as long as it is implemented in a compliant manner such as only tracking pageviews.

The Office of Civil Rights (OCR) provides additional guidance on proper use of online tracking technologies. Specifically:

  • User-authenticated pages (pages that require a user to log in). These pages often include PHI such as a name, email address, diagnosis, and prescription information. These pages are covered under the HIPAA rule.
  • Unauthenticated pages are website pages that do not require a log in. They typically include general practice information such as location, services, physician bios, etc. Tracking technologies added to a healthcare website typically do not have access to an individual’s PHI, and in the case of compliance, is not specifically regulated under HIPAA.
  • Unauthenticated pages that include PHI would be covered under HIPAA. Examples of unauthenticated websites where HIPAA rules would apply include:
    • A login page to a practice’s Patient Portal
    • An online appointment request form where a user does not have to log in prior to requesting an appointment
    • An unauthenticated page where an email is collected
    • Unauthenticated web pages that cover specific treatments and conditions and could be linked back to a visitor’s IP address

For Practis clients, our Google and Meta (Facebook) Ads do not employ retargeting methods that track users across websites. We also do not embed Google Analytics tracking code inside of Practis Forms, our HIPAA-compliant form builder. For Facebook advertising campaigns managed by Practis, we track only pageviews through Meta Pixel and do not capture and share any user-specific data. In addition to Facebook Meta Pixel, Practis prohibits the use of Google Tag Manager (GTM) and Google Analytics within our HIPAA-compliant form builder, Practis Forms. With respect to Google Ad Campaigns and GTM, user-specific details are not collected or shared.

What Data Can Medical Websites Track?

Since medical websites designed by Practis do not employ tracking cookies, we only collect data on unauthenticated webpages where users are not required to log in. HIPAA acknowledges that tracking technologies on such unauthenticated webpages generally do not have access to individuals’ PHI, and is generally okay to use. However, HIPAA rules apply if the page contains information about symptoms or treatment of a condition. If you’re using a tracking technology that collects an IP of a person navigating to a page that does address specific symptoms or treatments, that could put you at risk.

However, there may be cases where tracking technologies on unauthenticated webpages have access to PHI. These pages include health conditions, such as pregnancy or miscarriage, or pages that permit individuals to search for doctors or schedule appointments without entering credentials. In such instances, the HIPAA Rule applies to the regulated entities’ use of tracking technologies and disclosures to tracking technology vendors to PHI in certain circumstances. It all depends on the content. If you are a Practis Forms customer, these HIPAA-compliant forms are embedded on your site, and no tracking scripts are allowed within the Practis Forms application, safeguarding your patient’s data.

What Does Google Have to Say About HIPAA Compliance?

Google has released guidelines on what they collect related HIPAA and PHI. There are a number of ways you can avoid sending PHI to Google Analytics, and but you’ll have to be sure to understand how Google collects the data. For example, imagine you’re an expectant mother searching for an OBGYN in your area. You’d hop online and search for “obgyn near me” and click on the first link, which leads you to a pregnancy services page offered by a local healthcare system. Without realizing it, Google Analytics tracking snippet is collecting the URL of the page you visited and your IP address. Now, here’s the catch: this seemingly innocent information is actually protected health data, and if someone found it, they could easily figure out that you’re pregnant.

The good news is with GA4, Google no longer tracks or stores IP addresses. However, Google can still use the IP address to provide general location data such as city and state. It might not seem like a big deal, but this level of detail could potentially raise concerns when it comes to the HIPAA privacy rule. So, it’s important to be mindful of the implications of such data collection.

What Are the Best Practices for HIPAA Compliance in Your Medical Practice?

It’s important that you and your staff fully understand HIPAA regulations and make sure you’re taking the right steps to protect your patient’s information. Regular staff training on HIPAA regulations and patient privacy is vital to maintain a culture of compliance. Implementing robust security measures, such as encryption and access controls, adds an additional layer of protection. Regular risk assessments and audits help identify and address potential vulnerabilities. You don’t want to find out that you’re doing it wrong after it’s too late. If you’re not confident in your policy or your vendor who has implemented tracking, then it may be a good idea to seek out a lawyer or legal professional to help ensure your particular site is covered from vulnerability.

Why Is Partnering With a Trusted Medical Marketing Agency Critical for HIPAA Compliance?

When you’re working with third party tracking providers, it’s important that you understand all the details about how their solutions work. Especially with digital marketing, these third party providers change often and without warning. You’ll need to stay on top of the latest releases and data collection practices from each vendor you use, and be ready to update your marketing processes if they make major changes which can happen frequently.

The right medical marketing agency will have someone on staff dedicated to keeping up with the latest privacy trends and the changes made in third party tracking providers. They can ensure compliance throughout website development and ongoing maintenance as well as guide you in choosing the right analytics solutions that safeguard patient data. They can also help you understand how to take the data collected and make decisions that help grow your healthcare business.

Nobody wants to be fined for HIPAA violations. By understanding the risks associated with Google Analytics and Meta Pixel, implementing recommended safeguards, and partnering with an experienced agency, you can safeguard patient privacy, maintain HIPAA compliance, and build trust with your patients.

Ready to protect your patient data and ensure HIPAA compliance? 

Schedule a free website assessment with us to make sure your website is safeguarding patient privacy and avoiding potential fines.