BACKGROUND: Recent developments in HIPAA compliance for healthcare websites have shifted with a significant court ruling in 2024. A federal court vacated the U.S. Department of Health and Human Services (HHS) guidance on online tracking technologies, which previously restricted the use of web analytics tools like Google Analytics or advertising pixels on healthcare websites.
This ruling has created a more permissive environment for healthcare providers and payors in terms of using online tracking technologies, if they ensure compliance with other HIPAA provisions. Regardless, it remains essential to stay informed about ongoing legal challenges and further regulatory guidance from HHS as this area of law continues to evolve.
UPDATES ON AHA LAWSUIT: In conjunction with the recent court decision to vacate the HIPAA tracking guidance, the American Hospital Association’s (AHA) lawsuit remains pivotal. The court’s ruling has reinforced AHA’s arguments that HHS exceeded its authority under HIPAA by enforcing strict limitations on the use of web-based tracking technologies. However, this does not fully exempt healthcare providers from ensuring HIPAA compliance, particularly in terms of safeguarding patient data when using third-party tools. For more details on the court’s ruling, visit the Holland & Hart Health Law Blog.
HERE'S WHAT YOU NEED TO KNOW.
THE PROBLEM: A violation occurs when a covered entity shares PHI data + health information with a non-HIPAA compliant destination (like Google Analytics or an ad pixel/platform).
DEFINITION OF A COVERED ENTITY AS PER HHS: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
WHAT IS AFFECTED BY THIS RULE? All third-party integrations to covered entity websites that collect PHI data (including IP addresses) and do not offer business associate agreements (BAAs). Here are a few examples:
- Google Analytics or any other Customer Data Platform
- Advertising Pixels (Meta, LinkedIn, TikTok, Google, etc.)
- Embedded YouTube videos
- Link shorteners (like Bitly, that store information)
- QR code generators (that store information)
- Visible health conditions in UTM codes (“campaign_bariatric-surgery”)
- Website plug-ins that capture PHI and website activity (this may include interactive maps on provider directories)
TOP SOLUTION VENDORS: Given the recent vacating of the HHS guidance on tracking technologies, hospitals and healthcare providers still need to ensure HIPAA compliance when using third-party tools. Here are the top vendors that offer HIPAA-compliant solutions, addressing concerns around online tracking, data sharing, and patient privacy:
- Tealium
- Celebrus
- Freshpaint
- Piwik PRO
SOLUTION | REVIEWS | BAA | SERVICES | EASE | SUPPORT | SETUP | STORAGE | COST |
|---|---|---|---|---|---|---|---|---|
Tealium 700+ employees | 4.4 stars on Gartner (25 reviews) | YES | Tag Manager
Consent Manager ** YOU CAN CONTINUE USING GOOGLE ANALYTICS AND ALL OTHER INTEGRATIONS ** PLATFORM CAN UNIFY DATA & INTEGRATE TO JUST ABOUT ANYTHING/ USES SERVER-SIDE INTEGRATIONS | Easy to Use | On-demand
support and
services
globally | Tag Manager setup timing: 6-8 weeks Total timing: 10-16 weeks | • HIPAA Multitenant • Built and managed to HIPAA specifications • Most cost-effective option for BAA • Managed to same specs as Private Cloud, but more than one tenant • Private Cloud – HIPAA-Compliant • Highest level of security available is Single Tenancy • HIPAA attestation | $50K annually for 5M hits with $25-50K implementation fee. Additional $12K annually for customer service. Tealium is priced based on annual average event volume; Events are pageviews + tracked actions (form submits, video plays, etc.) + offline data (CRM, email engagement, etc.) |
Celebrus 24 years in business <30 employees | 4.5 stars on Gartner (4 reviews) | YES –With redlines | Tag Manager Customer Data Platform | Medium | UK-based support team and hours | Add single line of code to your website Total setup timing: 60-90 days | $75-100K annually Dependent on # of sessions + unique visitors + connections | |
Freshpaint <30 employees | 4.5 stars on G2 (3 reviews) | YES – With redlines | Tag Manager Customer Data Platform **NO CONSENT MANAGER **INABILITY TO UNIFY DATA **LIMITED INTEGRATIONS/ USES 3RD-PARTY INTEGRATIONS | Easy to Use | 8 AM-6 PM PT, Mon-Thu; 8 AM-1 PM PT, Friday Closed on holidays | Total setup timing: 1-2 weeks | Multiple warehouse options | Price per website engagement. Compliance + Enterprise Plan Options Pricing available after discovery call. |
Piwik PRO <150 employees | 4.0 stars on Gartner (5 reviews) | YES – With redlines | Customer Data Platform Consent Manager | Medium | Moderate support and services; 9 AM-5 PM live chat only; Has a ‘Help Center’ | Shared cloud customers setup timing: Almost immediate setup Protected cloud customers setup timing: Up to 2 weeks | Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data. | $17,995 annually for 5M page views + events |
RECOMMENDATION: For hospitals needing to continue using third-party analytics and tracking technologies in compliance with HIPAA, Tealium and Piwik PRO stand out as the best options. Both offer strong privacy controls and have server-side integrations that help ensure compliance. Celebrus and Freshpaint also provide good options for healthcare providers with different data integration needs.
It’s advisable to consult with each vendor to determine which one fits your organization’s size, digital infrastructure, and specific compliance requirements.
DISCLAIMER: This article does not constitute legal advice. If you are unsure about your organization’s ability to comply with HIPAA guidelines or liability under the recent HHS bulletin, you should consult an attorney.
