Considerations & Deployment Options for Server-side Tracking in Healthcare

In our last post, we explained the difference between client-side and server-side tracking, and offered our perspective that server-side tracking is now foundational for healthcare organizations. But that word “foundational” is important here. Server-side tracking is foundational for healthcare organizations, but not sufficient on its own to achieve HIPAA-compliance while also continuing to support the marketing activities essential for most healthcare organizations.

The Expanded Definition of Protected Health Information (PHI)

Recent HHS guidance regarding HIPAA compliance and digital tracking technologies significantly expanded the commonly understood definition of Protected Health Information (PHI). At a high level, the expanded definition included:

• Extending the protections of HIPAA to all visitors to a Covered Entity’s website, regardless of whether that visitor is a patient or is known to the organization.
• Designating IP address specifically and geographic location generally to be PHI.
• Including information regarding page (URL) visits pertaining to health conditions, treatment options, clinics and physicians as PHI.

So, in concept, any data that may enable a visitor to be personally identified and/or to be associated with a person’s “past, present, or future health or health care or payment for care” is PHI. Most of this information is collected by default by client-side, third-party tracking technology used by nearly all major analytics and advertising platforms, which has created a series problem for any organization covered by HIPAA (aka a “Covered Entity”).

Note: It is generally understood that HIPAA guidelines do not prohibit Covered Entities from collecting PHI – it’s sharing the data that can be prohibited. Instead, what is legally required is an exceptional level of care regarding safeguarding that data. No PHI can be shared with a third-party, except if that third-party has signed a Business Associate Agreement – a contract that obligates that third party to the same level of privacy protection and data safeguards as required of the Covered Entity.

Fundamentally, our view is that three things are required to achieve functional HIPAA compliance for digital marketing purposes (meaning an implementation that achieves HIPAA compliance while still enabling the organization to have access to insights required to maintain their marketing initiatives).

• Controlling Data Collection
• Data Cleansing and De-identification
• Compliant Data Sharing

Controlling Data Collection

Server-side tracking architecture gives healthcare organizations two means of data collection – both of which can be HIPAA-compliant:

1. Server-side tracking can be implemented to only gather data from server logs and other processes that occur on a server and that provide signals regarding user behavior.
2. Alternatively, server-side tracking can be implemented in concert with client-side tracking, but in a manner that collects only first-party data, meaning data that is collected and “owned” by the organization – not gathered by or automatically shared with a third party. (As more restrictive privacy regulations such as HIPAA accelerate the demise of third-party cookies and the platform data that goes with it, first-party data is becoming an essential for all marketers.)

Both approaches give healthcare clients direct control over data collection and an architecture that avoid ungoverned data sharing with third parties.

The approach we take when implementing a HIPAA-compliant tracking solution for our clients is to replace all client-side tracking with a new, Private Client ID. This Private Client ID becomes our sole source of data collection, with no third-party tracking or data collection on the client browser or application. The only data collected is what is explicitly approved by each client’s marketing and compliance teams, leaving our clients in complete control of HIPAA-compliant data collection.

Data Cleansing and De-identification

Nearly all healthcare organizations leverage digital marketing to support their operations. And effective digital marketing requires sharing essential tracking data with advertising and marketing partners. But none of the widely used advertising (META, Trade Desk, etc) or analytics platforms (e.g., Google or Adobe) will sign BAA’s for their core analytics offerings, so how can data be shared to support critical marketing initiatives?

The approach we’ve found to be successful with our clients is to cleanse and de-identify tracking data to enable sharing with a third-party that isn’t under BAA. By taking this approach, we enable our clients to continue to use the platforms and partners they rely on and know well, while ensuring PHI is never shared.

More specifically, we implement systems that monitor for sensitive data in URLs, removing or de-identifying such information when detected. For example, URL data that includes health condition, treatment or physician information is replaced with hashed values that de-identify that information in the URL before sharing.

Data cleansing is most easily executed within a HIPAA-compliant data hub – a key part of advanced, server-side tracking implementations that also enables HIPAA-compliant data sharing.

Data Sharing

Because server-side tracking implementations leverage communication via API (server-to-server) to facilitate data sharing, this method offers healthcare organizations the opportunity to define and enforce what data is shared with third parties. When implementing HIPAA-complaint tracking, we’re able to provide clients with discrete control over data shared with each partner, down to a single attribute.

So for example, we may pass only a conversion event to one advertising partner and a conversion plus pseudonymous ID to a different advertising partner while passing all cleansed and de-identified data to Google Analytics. We can achieve this a number of different ways, but our preferred method is to use a HIPAA-compliant, cloud-based data hub. For several reasons, our favored HIPAA-compliant data hub is Tealium EventStream:

• Their architecture elegantly supports our Private Client ID, Data Cleansing and De-identification solutions
• EventStream has an extensive library of third-party “connectors”, which saves us the time required to implement our own connectors
• Like Wheelhouse DMG, Tealium does enter into BAA’s with their clients

Benefits for Healthcare Organizations

Using the architectural approach outlined above for server-side tracking creates several benefits for healthcare organizations:

• Puts the healthcare organization in full control of HIPAA compliance for digital tracking. Compliance is enforced at the data collection, data cleansing and data sharing levels, which enables healthcare organizations to continue using the platforms and partners they wish, while ensuring HIPAA compliance.
• Can be configured and updated to adjust to changes in the regulatory environment. Data collection, cleansing and sharing is governed by rules and libraries that can easily be updated in response to changes in the regulatory environment.
• Offers a platform-agnostic approach that enables healthcare organizations to work with any third-party partner or platform that supports API-based integration.