BACKGROUND: Recent HHS tracking technology guidance for organizations covered under HIPAA and resulting lawsuits have caused alarm and confusion. Health care and health insurance providers are scrambling to assess and address their liability while continuing to provide valuable information to customers.
HERE'S WHAT YOU NEED TO KNOW.
THE PROBLEM: A violation occurs when a covered entity shares PHI data + health information to a non-HIPAA compliant destination (like Google Analytics or an ad pixel/platform).
DEFINITION OF A COVERED ENTITY AS PER HHS: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
WHAT IS AFFECTED BY THIS RULE? All third-party integrations to covered entity websites that collect PHI data (including IP addresses) and do not offer business associate agreements (BAAs). Here are a few examples:
- Google Analytics or any other Customer Data Platform
- Advertising Pixels (Meta, LinkedIn, TikTok, Google, etc.)
- Embedded YouTube videos
- Link shorteners (like Bitly, that store information)
- QR code generators (that store information)
- Visible health conditions in UTM codes (“campaign_bariatric-surgery”)
- Website plug-ins that capture PHI and website activity (this may include interactive maps on provider directories)
TOP SOLUTION VENDORS: The following vendors claim to offer solutions that ensure HIPAA-compliant data sharing. We evaluated each through a series of discussions and guided on-platform demonstrations. The chart below describes, to the best of our knowledge, how each ranks in what we consider to be key criteria. (NOTE: Wax has no relationship with any of these vendors.)
- Tealium
- Celebrus
- Freshpaint
- Piwik PRO
SOLUTION | REVIEWS | BAA | SERVICES | EASE | SUPPORT | SETUP | STORAGE | COST |
|---|---|---|---|---|---|---|---|---|
Tealium 700+ employees | 4.4 stars on Gartner (25 reviews) | YES | Tag Manager
Consent Manager ** YOU CAN CONTINUE USING GOOGLE ANALYTICS AND ALL OTHER INTEGRATIONS ** PLATFORM CAN UNIFY DATA & INTEGRATE TO JUST ABOUT ANYTHING/ USES SERVER-SIDE INTEGRATIONS | Easy to Use | On-demand
support and
services
globally | Tag Manager setup timing: 6-8 weeks Total timing: 10-16 weeks | • HIPAA Multitenant • Built and managed to HIPAA specifications • Most cost-effective option for BAA • Managed to same specs as Private Cloud, but more than one tenant • Private Cloud – HIPAA-Compliant • Highest level of security available is Single Tenancy • HIPAA attestation | $50K annually for 5M hits with $25-50K implementation fee. Additional $12K annually for customer service. Tealium is priced based on annual average event volume; Events are pageviews + tracked actions (form submits, video plays, etc.) + offline data (CRM, email engagement, etc.) |
Celebrus 24 years in business <30 employees | 4.5 stars on Gartner (4 reviews) | YES –With redlines | Tag Manager Customer Data Platform | Medium | UK-based support team and hours | Add single line of code to your website Total setup timing: 60-90 days | $75-100K annually Dependent on # of sessions + unique visitors + connections | |
Freshpaint <30 employees | 4.5 stars on G2 (3 reviews) | YES – With redlines | Tag Manager Customer Data Platform **NO CONSENT MANAGER **INABILITY TO UNIFY DATA **LIMITED INTEGRATIONS/ USES 3RD-PARTY INTEGRATIONS | Easy to Use | 8 AM-6 PM PT, Mon-Thu; 8 AM-1 PM PT, Friday Closed on holidays | Total setup timing: 1-2 weeks | Multiple warehouse options | Price per website engagement. Compliance + Enterprise Plan Options Pricing available after discovery call. |
Piwik PRO <150 employees | 4.0 stars on Gartner (5 reviews) | YES – With redlines | Customer Data Platform Consent Manager | Medium | Moderate support and services; 9 AM-5 PM live chat only; Has a ‘Help Center’ | Shared cloud customers setup timing: Almost immediate setup Protected cloud customers setup timing: Up to 2 weeks | Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data. | $17,995 annually for 5M page views + events |
CLOSING THOUGHTS: In November of 2023, the American Hospital Association filed suit against the federal government to bar enforcement of this “unlawful, counterproductive and harmful rule.” (See AHA press release here.) This pending litigation is likely to result in a lengthy battle.
DISCLAIMER: This article does not constitute legal advice. If you are unsure about your organization’s ability to comply with HIPAA guidelines or liability under the recent HHS bulletin, you should consult an attorney.
