The rules are always changing, and a recent case regarding tracking technologies is a perfect example.
In AHA v. Becerra, the court reviewed certain provisions of OCR’s HIPAA guidance on online tracking technologies, and this could have a big effect on how digital analytics tools like Google Analytics 4 (GA4) and Google Tag Manager (GTM) are used in the future.
What does this case mean for healthcare marketing?
In July 2024, the U.S. District Court for the Northern District of Texas ruled the HHS overstepped its authority by saying that HIPAA is violated when an individual’s IP address is linked with a visit to an unauthenticated public webpage related to health conditions or providers.
The court’s ruling clarified that tracking a patient’s IP address to specific URLs doesn’t automatically break HIPAA rules. The decision stated that the data collected this way isn’t considered Protected Health Information (PHI) unless it directly relates to identifiable health data and is intentionally linked to someone’s healthcare.
In other words, tracking a patient’s IP address linked to specific URLs isn’t always a HIPAA violation.
Even with this ruling, it’s important to understand its limitations.
The decision focuses mainly on IP addresses without addressing data considered PHI. Healthcare marketers must still be careful about:
With so many third-party tracking tools and identifiers out there, this ruling alone doesn’t instantly make a website HIPAA-compliant. Healthcare organizations still need to ensure they’re using HIPAA-compliant tracking to avoid hefty fines and legal trouble.
After analyzing the ruling, our internal and external experts have a few takeaways:
In short, even though the ruling might relax some rules about data tracking, healthcare providers should still focus on HIPAA-compliant tracking, no matter what happens.
Ultimately, when it comes to tracking tools, like GA4 and GTM, this ruling does nothing to reverse the earlier rulings of the OCR about their HIPAA non-compliance.
Ten days ago, the OCR filed a notice to appeal the district court’s ruling in the AHA v. Becerra case. But on August 29, they decided to drop the appeal and officially withdrew their notice. That means the district court’s ruling will remain in place.
As a result, HIPAA-regulated entities can keep using tracking technologies on unauthenticated web pages without worrying about future penalties for HIPAA violations as long as they follow the court’s interpretation.
While some might feel relieved, this case is really bringing patient privacy, data tracking, and digital rights into the spotlight. It’s catching the eye of both litigators and regulators, making headlines even in non-trade media.
This case and the OCR guidance that inspired it offer an opportunity to take a step back and evaluate how data is collected, shared, and used in healthcare marketing.
As healthcare marketers, you need to keep in mind that, while you have powerful tools and tech at your disposal, you also have a responsibility to protect patient privacy and comply with HIPAA regulations. It’s always better to play it safe when handling sensitive patient data.
The AHA v. Becerra case reminds us that rules and guidelines in digital marketing for healthcare are always changing. As professionals in this field, we need to stay updated on these changes and make sure our practices follow the latest regulations and ethical standards.
The best approach is to stop potential violations before they happen.
To avoid the risk of regulatory fines and class action lawsuits, HIPALYTICS ensures HIPAA-compliant tracking by GA4 and GTM, a win for patient privacy and effective healthcare marketing.
We make these tools HIPAA-compliant by anonymizing PHI and storing it on safe US-based servers, leaving no room for violations and legal issues. Our services are BAA-protected and aligned with the latest technological trends and HIPAA updates.
To learn more about how we protect your marketing efforts, visit hipalytics.com or contact mike@hipalytics.com.
