HHS Tracking Technology Rules

Are You Violating HHS Tracking Technology Rules?

Share
Share

BACKGROUND: Recent HHS tracking technology guidance for organizations covered under HIPAA and resulting lawsuits have caused alarm and confusion. Health care and health insurance providers are scrambling to assess and address their liability while continuing to provide valuable information to customers.

HERE'S WHAT YOU NEED TO KNOW.

THE PROBLEM: A violation occurs when a covered entity shares PHI data + health information to a non-HIPAA compliant destination (like Google Analytics or an ad pixel/platform).

HHS Tracking Technology Guidelines PHI Data

DEFINITION OF A COVERED ENTITY AS PER HHS: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

WHAT IS AFFECTED BY THIS RULE? All third-party integrations to covered entity websites that collect PHI data (including IP addresses) and do not offer business associate agreements (BAAs). Here are a few examples:

  • Google Analytics or any other Customer Data Platform
  • Advertising Pixels (Meta, LinkedIn, TikTok, Google, etc.)
  • Embedded YouTube videos
  • Link shorteners (like Bitly, that store information)
  • QR code generators (that store information)
  • Visible health conditions in UTM codes (“campaign_bariatric-surgery”)
  • Website plug-ins that capture PHI and website activity (this may include interactive maps on provider directories)

TOP SOLUTION VENDORS: The following vendors claim to offer solutions that ensure HIPAA-compliant data sharing. We evaluated each through a series of discussions and guided on-platform demonstrations. The chart below describes, to the best of our knowledge, how each ranks in what we consider to be key criteria. (NOTE: Wax has no relationship with any of these vendors.)

  • Tealium
  • Celebrus
  • Freshpaint
  • Piwik PRO
SOLUTION
REVIEWS
BAA
SERVICES
EASE
SUPPORT
SETUP
STORAGE
COST
Tealium
700+ employees
4.4 stars on Gartner (25 reviews)
YES
Tag Manager Consent Manager

** YOU CAN CONTINUE USING GOOGLE ANALYTICS AND ALL OTHER INTEGRATIONS

** PLATFORM CAN UNIFY DATA & INTEGRATE TO JUST ABOUT ANYTHING/ USES SERVER-SIDE INTEGRATIONS
Easy to Use
On-demand support and services globally
Tag Manager setup timing: 6-8 weeks

Total timing: 10-16 weeks
• HIPAA Multitenant
• Built and managed to HIPAA specifications
• Most cost-effective option for BAA
• Managed to same specs as Private Cloud, but more than one tenant
• Private Cloud – HIPAA-Compliant
• Highest level of security available is Single Tenancy
• HIPAA attestation
$50K annually for 5M hits with $25-50K implementation fee. Additional $12K annually for customer service.

Tealium is priced based on annual average event volume; Events are pageviews + tracked actions (form submits, video plays, etc.) + offline data (CRM, email engagement, etc.)
Celebrus
24 years in business
<30 employees
4.5 stars on Gartner (4 reviews)
YES –With redlines
Tag Manager
Customer Data
Platform
Medium
UK-based support team and hours
Add single line of code to your website

Total setup timing: 60-90 days
$75-100K annually

Dependent on # of sessions + unique visitors + connections
Freshpaint
<30 employees
4.5 stars on G2 (3 reviews)
YES – With redlines
Tag Manager
Customer Data Platform

**NO CONSENT MANAGER

**INABILITY TO UNIFY DATA

**LIMITED INTEGRATIONS/ USES 3RD-PARTY INTEGRATIONS

Easy to Use
8 AM-6 PM PT, Mon-Thu; 8 AM-1 PM PT, Friday Closed on holidays
Total setup timing: 1-2 weeks
Multiple warehouse options
Price per website engagement.

Compliance + Enterprise Plan Options

Pricing available after discovery call.
Piwik PRO <150 employees
4.0 stars on Gartner (5 reviews)
YES – With redlines
Customer Data Platform
Consent Manager
Medium
Moderate support and services; 9 AM-5 PM live chat only; Has a ‘Help Center’
Shared cloud customers setup timing: Almost immediate setup

Protected cloud customers setup timing: Up to 2 weeks
Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data.
$17,995 annually for 5M page views + events

CLOSING THOUGHTS: In November of 2023, the American Hospital Association filed suit against the federal government to bar enforcement of this “unlawful, counterproductive and harmful rule.” (See AHA press release here.) This pending litigation is likely to result in a lengthy battle.

DISCLAIMER: This article does not constitute legal advice. If you are unsure about your organization’s ability to comply with HIPAA guidelines or liability under the recent HHS bulletin, you should consult an attorney.

DOWNLOAD, PRINT, OR SHARE HERE.

Powered By EmbedPress

QUESTIONS? CONTACT US.

Please enable JavaScript in your browser to complete this form.