4 Steps to Take Now: Future-Proofing Your Digital Analytics in Healthcare

Two big tidal waves hit the healthcare marketing world over the past 12 months, riding in on the trend of increased public and government scrutiny over the privacy practices of those collecting data about patients online.

1. Google announced last year that the move to Google Analytics Four (GA4) would be mandatory as of July 1, 2023. 
2. HHS released new guidance on December 1, 2022 seeming to imply than any analytics provider that is collecting and using IP Addresses may be subject to the same HIPAA compliance standards as a vendor handling patient names, conditions or appointment scheduling requests. 

These announcements have sent quite a few marketing teams into a tailspin, forcing them to shift manpower from advertising campaigns or traditional marketing activities toward their analytics mix.

As a healthcare digital marketing agency, Full Media has spoken with internal healthcare marketers for organizations big and small, legal experts, third party consultants and performed significant research. The current environment is characterized by uncertainty, which may hopefully give either HHS or Google the impetus to provide more clarity. But what is certain is that attitudes about digital analytics in healthcare are changing, and no matter where the final decisions end up landing, there are steps you can take now that will set your organization up better for the future.

What you need to know

When it comes to the HHS guidance, the information that the government agency has provided is vague enough that it’s difficult to tell whether or not Google Analytics Four is collecting PHI and needs to be fully HIPAA compliant. The new guidance indicates that collecting something as simple as a page visit alongside an IP address could trigger the need for fully HIPAA-compliant security standards. While Google Analytics Four does not collect and store IP addresses, it does interact with them. That’s already triggered some healthcare organizations to look into other analytics platforms that will guarantee HIPAA compliance.

Four steps you should take now

Whether or not organization sticks with GA4 is a question for you and your attorneys. Regardless of where you fall on that issue, there are steps you can take now that will help protect and prepare you as these issues continue to evolve.

1. Work with industry-educated vendors

Over the past few years, we’ve seen a precipitous rise in investigative journalism and lawsuits against organizations for their usage of digital analytics about patients. But many of the practices that these organizations have gotten in hot water over have been well-established “no-nos” if an organization or marketing agency truly understands HIPAA regulations. 

Most healthcare marketers wear many hats, and they lean heavily on outside vendors to help them, whether that’s a website developer, a marketing agency or a platform. As the environment and expectations around digital analytics change at-large and in the healthcare industry, it will be increasingly important for healthcare marketers to work with vendors who operate in a HIPAA-educated and compliant manner too. 

2. Build a thoughtful, vetted analytics plan

Take the time to consider what you need. What types of reports and analytics add value to your organization? Are your marketing efforts informed and improved regularly based on data? Consulting with vendors who truly specialize in the area of digital analytics can help you build this list, especially if there are gaps in your data. 

Once you’ve determined what you need, vet your analytics mix to see if (a) it’s giving you the data you need, and (b) its security standards meet your needs as a healthcare organization. 
Consider and discuss the security standards for:

• Contact form tools and where your form submission data is stored
• Call tracking platforms
• Scheduling or “find a provider” tools
• Any advertising pixels you have installed on your website, like Google Ads or Meta
• Your web analytics platform, like Google Analytics

If personally identifiable information is stored on any of these systems, it’s a requirement that you maintain HIPAA-standards for that data storage and have a Business Associate Agreement on file with that vendor. 

Make sure with any data you are sending to an advertising pixel or web analytics platform that it does not include personally identifiable information. These third-party services should be outlined in your privacy policy, and it’s best practice to give website visitors the opportunity to opt-out of these cookies. 

If any of your current analytics vendors aren’t meeting your needs, it’s time for research! If you’re working with healthcare-specific digital technology providers or agencies, lean on them to find other solutions and help vet platforms. 

3. Show your work, internally and externally

It’s important that you know why you have chosen each platform and to document any information about HIPAA compliance, including keeping your signed BAAs and contracts on file. You should be able to demonstrate that you investigated the standards and worked to keep all data secure. 

Your privacy policy is also a critically important way to show your work externally. Be sure to include a full description of your digital analytics practices and provide opportunities to opt-out of data collection where possible. While it’s not yet a requirement for all United States healthcare organizations to include a cookie consent banner to all visitors, it may be helpful to do anyway as a precaution. 

4. Adopt a “least-necessary” attitude with data collection and retention

Now that you know what type of data you want and need, you should also consider ways to (a) not collect unnecessary data, and (b) retire old data once it’s past its usefulness. 

Storing more data than you need just adds risk. It’s your responsibility to safeguard that data and, eventually, delete that data once it’s no longer needed. By considering ways to collect only what you need, you reduce your responsibilities. 

Many platforms are also now building in controls where data is only retained for certain periods. Healthcare marketers are busy, so keeping up and clearing out all data often falls to the bottom of the priority list. Using these automatic controls can help limit your risks!