This is a surprisingly common question that we receive in some form or another. What the executive is really asking is a risk versus compliance question. I’ll attempt to give an explanation for both from a website perspective.
Compliance is Black and White
First, compliance is compliance. It should be looked at as black and white when it comes to preservation of patient data. From a legal perspective, it doesn’t matter what size you are for compliance. For HIPAA compliant analytics, the law will ask if the web visitor was seeking patient care and if they were engaging with the practice to receive care. This is the protected information of PHI and PII that is now in your care via the web analytics set up that should stay protected by your organization.
Risk is Grey
Risk is a different issue. Sure, there are fines to worry about for non-compliance, but there’s more at stake from a risk perspective. There’s the reputation risk for failure to protect patient data. More importantly, there’s the damage that can be done to patients whose data is disclosed to the world without their permission.
Will They Waste Time With My Emerging Group?
From a risk perspective, the government is typically going after bigger fish because they only have so many resources to do so. To be clear, that doesn’t mean your non-compliance is right – strictly speaking from a risk perspective.
However, the technology is getting more robust as predatory law firms representing your patients can serve you a lawsuit for non-compliant web analytics using automated tools. The web scraping tools are getting really good and there’s little expense for a law firm to move past the “large” organizations and target the “smaller” ones. They may just take a gamble, serve the lawsuit, and see what sticks.
The way these technologies work is that a bot will go to your site, see the tag for Google, Facebook, or other technologies loaded onto the page’s code, and detect that it’s likely you’re not in compliance. If you’re using a Customer Data Platform (CDP) like Freshpaint or others, these tags will no longer exist on the page’s output code as the CDP’s script/event code is the mechanism that is moving the data to these services in a controlled manner.
Acting Out of Fear
The intent of this article is not to garner fear and compel you to make expensive decisions that you may be unhappy with. Rather, it’s meant to provide a little color on what we’re seeing in the website and marketing world as it relates to HIPAA compliant web analytics. As of now, it seems government organizations and law firms are focusing on large, obvious compliance breaches.
Over time, as large groups start to adapt and adhere to regulations more carefully, I think attention will start to move down the food chain. Overall, organizations have some time to get this right but I don’t think the compliance regulations are going to get more loose over time.
Conclusion
As a patient, I hope every organization, large or small, is taking care of the data I give them when trying to engage their health services. As a marketer, I hope organizations are storing patient data in a HIPAA compliant manner so they can continue to find and serve patients who need their care. As a website builder, I will recommend doing it right, but ultimately you own your website.
