Transcription of video

Hi everyone- my name is Colton- I am the founder of Bespoke Media an advertising agency, and I wanted to talk to you today about HIPAA as it pertains to your website and make sure that you’re reducing your risk as much as possible. ​ Because there seems to be a lot of confusion around the internet and scant information, and stuff that’s just hard to find so I wanted to put it all together and give a brief intro and check to see if you are actually violating HIPAA law and ways you can reduce that exposure risk. This applies to doctor’s offices, dental clinics, health systems, chiropractors, really any covered entity with HIPAA, or the Health Insurance Portability and Accountability Act, so if you have Google Analytics tags or Facebook pixels or really any tracking system that’s being used that is not specifically said to be HIPAA compliant, or you have an unencrypted contact form or you have an appointment confirmation configuration, or your URL’s structure has unique URL identifiers, etc. There’s a litany of things but basically there’s a very good chance you may not be HIPAA compliant unless you were to work under a microscope with your dev team to go through each of these checks. That also applies to marketers- so any of you marketers who are working with covered entities- that HIPAA law basically passes down to you as well.

So, before I get into this, I should say I’m not a lawyer, I am not your lawyer, nor could I claim to be an expert in HIPAA law. ​ This should not be interpreted as legal advice and I advise you to seek counsel from your legal team on this for compliance matters. I am however a marketer with over a decade worth of experience, I understand tracking very well and I have been researching HIPAA and how it pertains to websites for the last 6 months or so. My team and I have been working with lawyers, web developers, and HIPAA experts to put together this video for you so that you can understand it a little bit better. So what exactly is a violation of HIPAA law? ​ In its most basic form, it is taking Personally Identifiable Information (or PII) putting that together with Health Information, and then when you get those together, the combination of that is called Protected Health Information (PHI). ​ That is what could get you into trouble if you expose that to a 3rd party.

Now, you understandably want to monitor your site traffic, understand what channels are working for you, where to put your energy and your ad dollars, but you don’t want to risk violating HIPAA law and receiving an exorbitant fine. ​ So does that mean you should just completely remove all tracking tags altogether and fly blind with your marketing campaigns? ​ Absolutely not. ​ So while Google Analytics is actually not HIPAA compliant (as you can see in their HIPAA disclaimer claiming so), it still does use with the Universal tracking pixel collects quite a bit of user behavior and data but not PHI as of January 2018. But they do still collect where they’ve gone on your website and the pages they’ve visited, where they go on other websites, their interests/behaviors on an aggregate level, keywords they’ve used to arrive on your website, and many other things. So what you can actually do is remove that bit of data from your tracking code so that you are not sending that data up into the 3rd party which is Google and so that would be within Google Analytics itself. Now, you are going to be removing quite a bit of valuable user information and user behavior from your tracking code, but the good news is you’re still maintaining ​ that core essential data, that is where they’re coming from, which channels are working for you, and core user data on an aggregate level. That way, you can allocate your ad dollars effectively, optimizing your Marketing campaigns to the best of your ability while minimizing your exposure risk to violating HIPAA law. ​

So what exactly is Personally Identifiable Information (or PII)? It’s basically just a unique identifier to identify an individual using their information such as: Birthday, Phone number, Address, Email address, Social security number- these are all forms of PII. One way you can check to see if you’re actually collecting that PII in Google Analytics is for you to go into your Google Analytics account, and then click on Behavior -> Site Content -> All Pages, then in the Search Bar search using the ‘@’ symbol, which may or may not show you some email addresses, as each email address contains the @ symbol. ​ So, if you did this check and nothing comes up, congratulations, you are not collecting email address information in Google Analytics. But that doesn’t necessarily mean that you’re not collecting other forms of PII.

Now, some of you may try to get clever and think that you can filter out this data before it gets into Google or just filter out within the views of Google Analytics. ​ But what you’re not taking into account is you’re still sending that data into a 3rd party source (which is Google) and violating HIPAA law. So what you need to do is actually redact that data from your code before it actually goes into Google Analytics.

So let’s take a few quick examples of some HIPAA violations:

So let’s say for example I run a chiropractic business and therefore I am a covered entity bound by HIPAA. ​ So my website is coltonwardchiropractic.com with a contact form and the Universal Google Analytics tag. ​ Let’s say a user arrives on one of my subfolder pages that is coltonwardchiropractic.com/fibromyalgia because they have lower back pain, and so they enter their information on a contact form for us to reach out to them, and then they end their session. ​ A few days later, this same user’s wife logs into the same computer and is served a remarketing ad speaking specifically to his fibromyalgia. ​ Now this would be a HIPAA violation, because the original user’s been cookied and then someone else has been served up an ad speaking specifically to their health information and their PHI, using their own data. ​ Additionally- the contact form- if it’s unencrypted, has also received that information and sent it back to the software company that was collecting that information. So you have potentially two HIPAA violations there.

So let’s look at another example:

I’m a marketing expert who handles digital marketing for a health system- let’s call it ABC Hospital. Now ABChospital.com is running a Google Ads campaign, and they’ve enabled auto-tagging of their URLs, (which is pretty standard practice by the way). ​ And they have a user let’s say that searches for ‘treat my high blood pressure’ on Google and they find an ad for our health system, and they go to our website- they click on it- they go to our website and they submit a contact form. ​ Again if you have an unencrypted contact form, and this health information that they’re providing you, which is ‘treat my high blood pressure’ that will go to Google Analytics, as well as their PII, which is coming from the contact form, and then you’ve got another PHI that you’ve exposed to Google Analytics, the 3rd party- again another HIPAA violation.

Now, these two may seem to be relatively innocuous, but I believe that in the future, all of this and HIPAA violations and internet privacy is going to become even more of a hot topic in the years to come so I think it’s best for your own sleep insurance and your own reduction of risk exposure is just by nipping this in the bud.

Now on to how to adjust your Google Analytics code so that you’ve redacted this user data from getting into Google Analytics. First thing that I would recommend you do is take all of your pixels for every single system you’re using to track user data and putting them into Google Tag Manager, that’s just a really clean and tidy place for you to understand what’s working, when things are firing or not firing and just having all your pixels in one place. ​ So now we’re going to focus on making changes to the Universal Analytics Tracking Pixel for Google Analytics. ​

The first thing you need to do is generate a new, user-defined variable. ​ Click on Custom Javascript and copy/paste this bit of code (which we also have in the description to this video below), making sure to change the instances where it says ‘example.com’ to your web domain. ​ Then when saving just call this variable something like ‘customTask - Remove PII Hits from Pageload’. ​ What you’re essentially doing is ensuring to strip all known PII from user data when they arrive on your site, using some RegEx coding through the customTask variable.

Then, create another variable called ‘Google Analytics Settings’. ​ Make the tracking ID ‘{{GA ID}}’ and the fields to set should be ‘customTask’ with the value being ‘{{customTask – Remove PII Hits from Pageload}}’, or whatever you named the first variable. ​ Also, I would hit ‘Enable’ for Display Advertising Features, as you can still gain valuable behavioral data on an aggregate level for demographics, interests, and more. ​ Lastly you’re going to want to tie it all together by creating one more user-defined variable. So go under Variable Configuration and scroll down to Constant, and then you’ll want to insert your specific Google Analytics tracking code into that space there and hit Save. Then, finally hit Submit, and that should be it!

One question you all might be having at this point is regarding remarketing. ​ Technically, it is possible to ​ remarket to users who have been on your website and then abandoned, but you can’t speak to that specific illness because that is part of their health information in a remarketing ad. So for example, if I’m an optometrist and someone visits my website, and they go to one of my subfolder pages speaking to Glaucoma. ​ And then they abandon they go somewhere else on the web, and they’re served up another ad that is speaking to their Glaucoma, well, that could potentially be a HIPAA violation because you’re speaking directly to their health information. Now, theoretically, you could create an ad that speaks a little more generally to eye problems, but you can’t speak to the specific problem of Glaucoma itself, so tread very lightly there in terms of remarketing.

It’s important to note that there are actually some other HIPAA-compliant alternatives for tracking your website. One is Mixpanel, there’s Amplitude, and SiteSelect- some of these are pretty expensive so my recommendation would just be to redact that information and continue using Google Analytics, but again if you want to be super sure and careful, then yes, you could work with these alternatives.

Regarding email- one piece of advice I would say is to make sure that you’re using encrypted email servers because otherwise you’re going to be sending potentially PII and Health Information, which is PHI together, to a 3rd party source, which is the email server that provides your incoming and outgoing emails. So, be careful not to violate there.

It’s important to note that the relationship between your website, the tracking systems that you use, and HIPAA is as complex as it is fluid. ​ That is to say that even though you’ve taken preventive measures to ensure that you’ve reduced your exposure risk to violating HIPAA, this video has done its best to try and reduce that risk, but it’s by no means exhaustive or complete that you might be violating HIPAA in some other way. ​

If you or your business are in any way concerned that you might be violating HIPAA law given your current circumstances, please feel free to reach out to me or anyone on my team and we’ll be happy to do a free audit and try to help you guys out. ​ Thank you guys so much for watching!